23542300x8000000000000000399024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:44.965{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79897989EC81986A63B6B41242052F4,SHA256=2E47C9F6BFEBA83746F794DD2969B51D9BC4ED789DDE864F9AFC97EFE45A93A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:44.367{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDA5A39D8D1FED7659936ADFF186328,SHA256=C063DEF6DDB9C16C4C05A8B6F6870D62BDB9B9E48B32555E515C1D947B23CD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:45.981{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D72842B537D6DCD3BE100E7BFCB7A2F,SHA256=168697A9E1A147C82621D5B33EA08C14871F9DD9BBB62C383682F1930FAD297C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:45.382{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD61565C98D6B69519063B20955AEF0,SHA256=E4217058AEC49155F2B6C611A7D1B023E462B0C7DEA69FF0C15DE6AA5C61A812,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:42.632{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:46.396{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B5BE91A335409F36FBD996E4B13145,SHA256=372922F8043743B694BC3A68FD865F038302E824FE83A518C36EBBFCD17B0145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:47.426{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2CB8B89CE70357521936B3BFDE5319,SHA256=3A57C49BE9382A0B73C2671D3E4CCE9C45076F3517E2DE90A1AE4AAFC3E0AEDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:45.452{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53963-false10.0.1.12-8000- 23542300x8000000000000000399026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:46.997{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95186E345E5B66B21DA53D2ED3DA6DCC,SHA256=3EFB0473822462909F519E6766CFDB4EEDFEB6DCCF738A073CCEF26F5FA05810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:48.442{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50CAA28FFAD1471DB7B273C58DB9503,SHA256=6D623CD406FB0F8831D483F7E35C0FDC3EA64D70492C6B5E967C23C05871DF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:47.997{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C778E1BC1016DBBFA068F4BD02DB09B,SHA256=A5DBBF7F545B1710145EF210FB2F34C2F994192254672174B492A34FB700E2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:49.216{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB2E4740CBEFA85CB5C28C11137DFAE,SHA256=292215B6B0DD951EF4CE180894F975CC3E4CD5909C0BFE39613C37FD734E8A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:49.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B7E1D38219D85566BD2A27BE5E2354,SHA256=9A81C7F54A207B25C034DE1BC93D275E4C40C04B2B66ED7FA5367AD15428732F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:50.262{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D9DBCB8F8C18F9B759BE5A8B20991D,SHA256=B70687B751E077B1F96CBF4685F2EFC67900EB7444495059649A4FBEBDA9D76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:50.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CCF5C740C1A1184E7FF4DDD03A3014,SHA256=DE71DAA0E29D2785599D506AEDBE7031F0B41C4B17F6DC207275E3F1A6D1BE58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:50.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:50.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:50.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:51.496{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DF6E1C38F2B39501CFE84DC18233B3,SHA256=220E3404D3B6AF7BDC3FD228C473B8FD4EB891B69E78AAAC471F2BDA959E5F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:51.278{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD91AC6C600445984F968B6C7E8552D3,SHA256=2F7E2DB2B9A29E6E2CA09E0E88543E163314446916F8E936084A43DC77F74184,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:48.624{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:52.526{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393827AAB4D2DC47B1B6E1A5127620F5,SHA256=2A2C3E2DB7E98C97714F3E4A363FF6EDFF17E53C39E3430E48AADC390E5E257F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:51.436{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53964-false10.0.1.12-8000- 23542300x8000000000000000399032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:52.325{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002214C4EC90126784538630529333CE,SHA256=75EC9ABC2785671D61544EC7F7A8CAF1F8308D9F8BF6CB5E6B2FD6D58D587EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:53.542{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B746B1FEC54894ED57CC9F8EDF903325,SHA256=752DC527D9B68D14B940BCC8A881231C9FC844725F12ECBDF4D11113952CB355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:53.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8480469FF712CD9B05F22D48D64E229,SHA256=C34C11AF21D99C1FE08068F84F63E38C1CCAADC149934CEF3DA36A0AC8F5857F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:54.561{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B6FBABB839B9ED1941732D4CFAF604,SHA256=06F8F6FB3FD3CD17700B683C5F67C85922BA0CA933DF9F213C695C282E0FA2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:54.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38D442857F465FCAD32B16FEE8872B5,SHA256=4F1B006AE4F31D68B78520294CAFEB2ADF20DBC1C615671041E9256FE5E5257E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:55.576{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B481ACE61D571733DD2E8D69E059460C,SHA256=E50F357E765924E23D30893E96EAA51F101328C9782D54A936EB9CCEC5D7B103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:55.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63D07B565F576D93B8A1AEFF5FFB0AF,SHA256=846EE5BFB8095B90B7EB8A43FAEEF4180EDD8FD0B8F5422475C51746B8768990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:56.590{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5852CF66A6DA1B2CBD5D80F79DFEF04,SHA256=272B05AA8106321EFEA865C0FE08D5501EF80FF841D43D298A82B4B114E16540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:56.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB4414F163AB1B4366213C23925824B,SHA256=68E5C53945DEBF415C62555828580E72E1A35945187C0CAD67207E6DDCE742E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:53.672{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:57.605{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B05C6CF9576C76832EB38942F0A1F5B,SHA256=4FA6DE8B84E4958E3B6A2F3BAAF133A3D028B523B93B0E70964F0152EE6B257C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:57.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6DFE4CF7D4933C3DC1B8331F446F2A,SHA256=838F93313A60C4AB57ABCFF6DC1F6EF3DD6CDF7AE94A9B7C979EC3E22A02BD94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0A-60E3-380B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A0A-60E3-380B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0A-60E3-380B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.958{D694AEB8-0A0A-60E3-380B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.638{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD159CE6C087EA4F8BFE34D3AFDEF3C,SHA256=C87EA8FE76E0FCF3ECA8BC9129036B4E7EA8B641E3DB68BC35D54311CB7C4ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:58.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E626E19B6CB58D996DB2A10F1586481,SHA256=AF6A014A5B33A1C0DD7495A229472F3BD3126A8D27A5FCB321570B9161C57EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.656{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CFDBA70D2A6DA5C7394FA59188A6C4,SHA256=211D78307B7F7995290B8BB5824DE7B005EB7489C0011A2B83BFA624D65C1AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:59.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4721FB6CD238EDEF2E5ADE69F03209A,SHA256=FF0848A34DA4E7BCE5D191648DBF64032CA5DD25491817895F26E4C10265DD52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.639{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0B-60E3-390B-00000000D301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A0B-60E3-390B-00000000D301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.636{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0B-60E3-390B-00000000D301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.635{D694AEB8-0A0B-60E3-390B-00000000D301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000399040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:57.468{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53965-false10.0.1.12-8000- 23542300x80000000000000001454331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.686{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E72D549BC53EBD0F015AD0F725FA25,SHA256=3E2F2A60ECA04A1020C425BC5E0EC5629A33E7E1B0E265BD537454C279AA6EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:00.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548C7B2DDE2AE95F10433BC327AC5652,SHA256=9A29DAA51A9A2431DDA440CEC1EC3DFAF0ECDFD443B24D71B7226D01DB0320F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.470{D694AEB8-0A0C-60E3-3A0B-00000000D301}12526816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0C-60E3-3A0B-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A0C-60E3-3A0B-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0C-60E3-3A0B-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-0A0C-60E3-3A0B-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.002{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C07E4AA1A30A2E6A0D02A3A23D49CA,SHA256=A16AF25C2D773C284938ECB941698E972D84880F24C5D20AFE54DCBA44FF0207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.002{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B05CA0F5066CDD1AC8C82E74E0E0EAE4,SHA256=9FF994A68B8ECA753D097628D044B63A010FAEA88D81012F1934651AB9DE7FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:01.986{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=0D4C030C1FAABAB1A7B4DC5CBFCF8269,SHA256=E12F0C07CDB88042FB80ECD6169B974215B4608B64B7371056ABCE3AD10628F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:01.716{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6A50F58D8520F3E44D8A35BBE61ACC,SHA256=A2A30529036140A4F287C030F40745BEB740A90D406725F279F7622C4DAE410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:01.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3D7B5E7B716F55733B5BBF2D9BA102,SHA256=664DB646A41D0B267A960A447E4459194F115789A7CA34FBC10657F775548978,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.503{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:01.354{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C07E4AA1A30A2E6A0D02A3A23D49CA,SHA256=A16AF25C2D773C284938ECB941698E972D84880F24C5D20AFE54DCBA44FF0207,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.936{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.933{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.933{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.932{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.734{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E81A05AF0B26FC343525316A3C075DA,SHA256=C53F18CCBF0020FBC706430BD4043578B8370101220D253DF3ABDF58A414BBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:02.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51B0A994BE6C498A658BE50CBD269D3,SHA256=9547D5BBFF5F7DD416DF64B9E1DC2D02806CF93EF8BA7B0296CC6B95C60EADFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.967{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A44887A46BF80450485752CE799C7CDC,SHA256=54602F8D687F60C2AA29070A5AB6533E6C5218E232B44D3E5A287A8B66E7FC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.751{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C52345C6AB0BC3BCD1AB9ED0CDC2FF,SHA256=865A063E193AEFA90C5DFAF9EEE150973246700AAF76F7DFE54499A7B03EC94C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.751{D694AEB8-0A0F-60E3-3C0B-00000000D301}58081872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:03.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047118F863D56DF8A7DA5777DADF0835,SHA256=F277A92877881D00D864FDC00CDDDBDB4DE191DBE33B32316E6A908C81D44846,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0F-60E3-3C0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A0F-60E3-3C0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0F-60E3-3C0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-0A0F-60E3-3C0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001454345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.083{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A10-60E3-3E0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A10-60E3-3E0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A10-60E3-3E0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.967{D694AEB8-0A10-60E3-3E0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.782{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE6968C97A8DF0190DE39D0F5CA8E48,SHA256=A2F457491DD920ABB3B0CA0F78A76ECF5DD84646809296DAD0154705574A8291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:04.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B70CA6689A0E6556FBAB19ADCA1C2C0,SHA256=288B1E92AF85599454BC77EC7386EF451E2047CE6CF64E063792C99081B39CFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.451{D694AEB8-0A10-60E3-3D0B-00000000D301}52846480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A10-60E3-3D0B-00000000D301}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A10-60E3-3D0B-00000000D301}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A10-60E3-3D0B-00000000D301}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.283{D694AEB8-0A10-60E3-3D0B-00000000D301}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:05.796{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4509531D122101317737776897ECF1D,SHA256=474F119A0BB70069E1C60E9340A67C39E84251EC1D9225A088E161F6CDA59656,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:03.454{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53966-false10.0.1.12-8000- 23542300x8000000000000000399047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:05.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CBCF26A08E287DB5F701E330319DA4,SHA256=1F1CB51574CB120CF60F816AD0987BAEB9EB4BD7A7CAC8B40811E35A3EDA3EF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.377{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60970-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.377{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60970-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001454375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:05.312{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=648FB90FCC6673F3F0F7CC28B6B03101,SHA256=9A0FC2EA63B6F05AD043E2F76B7B7D96B1B13F7AB30508B6DF68ABBF1B01646A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:06.811{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90A120760222218EC80FFD2E63EA840,SHA256=EFE288041537882824084AE02D8A879B78FD2019A2D220CA85F33D6F084C666E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:06.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42BEF06B458E768F23D4C20538D684C,SHA256=624F039386DE12C976C92B2EB5FB592C52D20A4E0E6A7A71003F9041671A9FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:07.828{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B4E1C7A29598A2CC972A79C7E3F330,SHA256=02E931CAAB588A9ED9D590563690B93D5171DAF90BB22495516FB3E1D0C960CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:07.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201EBE2ACD4B5917420C4AEFC79F45DE,SHA256=8FF2C0DB62D706333310D7F0A6752584303045EB7D21C4CCEFD33968AA3323C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:05.529{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:08.846{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCCBE19CDD98F6F1A65F39FF93B93D5,SHA256=38E2DE1512542BB1ACA18605B8A01AE503CFDD5F6A51A351B1B9EB27C56B026F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:08.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6AE192155B077D116894DB892D74C8,SHA256=183FA17151BB9316516D7A29B01D9153D86DA4FCCD7ABAD39FEFC25ADF09B250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:09.876{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6441519A14D5AC7481BE50CCDE0ED96,SHA256=797A837E55DF81B9593AD609B167EFECE38E895BDCF364EA4CDC60BCED351F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:09.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF5DB7376CE290CF08E13D2E4EBD1B7,SHA256=D298D4E57EA950C0A9D4B961DBFBC67240A67601DA26EA541CBDB249449A6B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:10.927{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BBAFB126709E28E5AA498848F94E7D,SHA256=5D4F1E2A1406506B9497FC91B7F57C252F44412FDC92F220D078366E9329AF58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:09.218{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53967-false10.0.1.12-8000- 23542300x8000000000000000399053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:10.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E5F7D0DB02EC39DE299D3E233ED325,SHA256=E52D80621F02360D34B75667DA3D847FB2F003B29F92AC3BB52C74152B707F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:11.943{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9417718B50027A132402555E99416D8F,SHA256=C4543A54A9BB088F142B3F152E824ED3A643AC2696DA57ADCAE1B7C05589D8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:11.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C92A83E235A11510CA9EC14B4229824,SHA256=1C8D9B028EA41C68D91F38E2761582E6ABC9149228AAEFA99F8A20181CEDE4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:12.957{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39625F59F23F52449001351CEBCD21F,SHA256=35B4AFB04CEDE9777FA09A19C88C2717B4BBA6D0FB3E5447F12C051B63937BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:12.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A861F2A4A406881242C49FD0C8D631,SHA256=74981E6A3968C38DB680AE82890223A2A1F8A1774D035B99654B062FBDBA5746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:13.972{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D59DE28A7CEB6B711799F301EEFD4EA,SHA256=CFCFF520959D49511D1602A47575741A924115C26EC56F9F1B16F1AA5D1C6F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:13.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152CBFB5C0E92B3A099169E2ECBC9F57,SHA256=DE99DB3CF8BD1164BBD19415451EC645B18A5EB62336D448D8002EE4E46D6A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:11.537{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:14.986{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B66F12A3AFF3D3D33C92DA1A58AC34,SHA256=730ADDB960DC6DADC1DECBB49E786797791212C33E0A76FA81527F328513BA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:14.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536D8397BBE7B86BAE70A43E43A87AD8,SHA256=A030219BB3EE7FB17D1BDC568759FBA6D0C23018CC246FFE10F6A25668EBFC72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:14.468{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53968-false10.0.1.12-8000- 23542300x8000000000000000399059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:15.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D82406202FE33CA465302B2232ADAE3,SHA256=2B50714A17B84FFA4B706DB1B589EB5DFE6DF56FD9B95EEA37BC5FD7FEF7658F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:16.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997E7CE7815D5427BD7B89693D079780,SHA256=85E810450E36469CD37429D77AF281EC7ACAB9E18D95E40629CB0030AE42A04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:16.000{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F40A26C6021E2BC7C0682FEA8BB954,SHA256=BBB9507E64F0092C1EF7D87D88E7F0E2BEAD7A15F8B30427B51FB069229514FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:17.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE638301024A94F4FFBFCA0C145B483,SHA256=B7818528B324C089975B91D979CF4FA3139B4257B90C448307C0D87476B2267A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:17.018{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833B53CC0BEAA12306490B4C67967E3C,SHA256=0E81FC89BC99DAC23A60311AF6C90C0F7C4711DF871302C647F8F645FE5662A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:18.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55B8DEB2B1E3818D73B2D986F9B9CD9,SHA256=A67DDC90378BA2C9656CA0D562B6AC071A56B81AC31E1228FCCBED2F421EFCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:18.051{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3889BB4761703AE4E480736C49293702,SHA256=E18DFCABC19D671A66F0D0586A105CDE6C0903C26F9B4052D7833D79DFDA9B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:19.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEDD22589B31A327A5E8B07B3BDD589,SHA256=316CA05BA8C867C8D520C6E93F70BF434D2A8FF064B11FD7768D814923C165DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:17.561{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:19.066{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B7F2FB7AE31207896F4781708CBEE1,SHA256=DD77CBDA10F6F4741C4CC0B304C342F1ECC590A7ED51AD23D6DD6D7F4B3690F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:20.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECD91BF8003B0A317B0D363C9E67977,SHA256=B03D7F48543A9514A10E651855F1CE0BF2598F97EC0F3C89A7E7E1346B4ECBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:20.081{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D734D00F76015417B5002627300504A6,SHA256=4C9E7BF6D83DD3C8EE1F6A25085AF3CCEE82F70F30F5CCC000E07353915F3BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:21.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF7A1DC805F6E611F1D8DD5E40016B8,SHA256=CDB25E1D208FF69823A0FD076D649290F47FDA75CB2CDC2B66C4429D770255A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:21.095{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B12E13E8F1098903CFFCCEB1C2B648,SHA256=EDC0B820EA137986DCCF9F9765C61F10A02D161905496847E62AF701BFDC30C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:22.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0146909C5B256C0D190239C5BB1E7A75,SHA256=025B33162A3C5D002BEA10F1A2E5376470A7ECD74C088083F229BB0ABD12F00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:22.113{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92C73B5E1D7253FD0EE9A605236EFCF,SHA256=5C0834EA1B9480D9A77D9C87517C00883C6A6B8E85BA2E8983FFB5DEA8A1C6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:22.122{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E924BF87336752B52DDE092EA7193B2,SHA256=4D75E8F84FF60465C1908B384675AD20ED55CEB76F531165170B99C19CA36204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:22.122{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614257C0351B1C167B87EA0F6959BBB1,SHA256=3BD69E1EAB036F94960C922F8C026A7DAEB19CEE91F3B92359D5A865587ED8D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:20.249{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53969-false10.0.1.12-8000- 23542300x8000000000000000399072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:23.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA064B5A250F943800F3EBE52F21DBC1,SHA256=BCE12C76E77BAC3EB02FFA237122C9F937DA4F8B1E8E7855C09A95133D9613B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:23.131{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A527696A1D34719196C2C660FFD2D8,SHA256=E6E7B4B4EC4D19485A68D6B60BBF12AB52C3A4B21E439B1639BA1B47642B9745,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:21.019{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-61152-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000399073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:24.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE26F543BE982DF0AEA6B361F694770,SHA256=D27BCCC5F57426088805924128821B826154CBD56019976C0E5A0E4F082A58BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:24.146{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66217471F65DCE0D7C84AB16640ECCC2,SHA256=314F7C738EC4536017EF6A3387120B06C3F07920D6338D77B8E8A2092BFAE9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:25.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1657048177B19A1C8ABABFD77EBB393A,SHA256=F92480B6E0A27EBE135E2B4B050265E0116E43830181FA5B60F70A8BD11A5914,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:23.593{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:25.160{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC3614E4863DCA10D13BB6C7C8F10A2,SHA256=8BCCB0FB707ED62B6AAC8C68E20E51BC96C39684B09806F09AF04C1DAF22C3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:26.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0A5CBAAA425B254A9E921671C771B9,SHA256=293669D55A9C78D121CF169969483D7BD82404ED4023BE9B97BAED25893805F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:26.190{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD6688C2348563610A80D53928E5720,SHA256=F0509BA96D0B0D6F4E9DC76FFE28FF60E1C0707FB1EA50BE24CC5CC000396467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:26.372{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=27DFB73D54298AA27B86C45CDB20658D,SHA256=DB803251174EEE27A9E6E1BF0CCD9BB7C440BCAFD5A36B2EFAA5B0FCB929EF47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:26.234{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53970-false10.0.1.12-8000- 23542300x8000000000000000399077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:27.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0695B3076D6219D19FA3268C1004707A,SHA256=68445B772C614C120529A88C7C405D8C21986128E53BFC75462F999EC27A5270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:27.206{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC46151180CB78769AB665AF88430DE1,SHA256=6284C1763BAB9BA8807534EBC9F12591CE1971E9A935E9FED991ABF3E5C903E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:28.225{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728090882D8E3D4F2C037BC107B3F1F2,SHA256=F5EAEAD33FEFDEFFFD5EDA3DA0B509E99C0F81B8EB0D77355C7BCAB6A1F728A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:28.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F519C686D56F73B6BEF868B852E5F6,SHA256=E2897C935271AF0F9BFEF5D05F996AC993BD474ABCB7FAF58E9F66D869AE253F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:29.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B4E67201B4E22E64C2C8507ACF93B6,SHA256=19829350EBF11838F2952640EB4A356F0CB476A74665CDE76F987C592CCC8ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:29.239{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E91681A058E6E02B3B773612A2B9B15,SHA256=70435A1601E1F35AA89A21D80BC4608FA823A7E2AC2FA1A2A01158AE008607B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:30.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D73DA42F6C5E8F13F22AC3736D3C61,SHA256=E5672441952FF1ED0F28D5FF4136E0662673BBA3C8C18D990F660E941AE6BC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:30.604{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:30.269{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994B4792CD122622F7812CD8E5075860,SHA256=162389B9233E5DB92C0D182C9B77A8874980D3A0174789B35FF294C861258051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:31.544{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5895550005FD4302D641EE4CF3F126,SHA256=E151AB664348F69F8DCD97E96C9D5705870C18E33353AD3DE7A21AADECEE2D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:31.284{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE0CECBA3926F5557FACCBE6D3F0B83,SHA256=F93BC19BB235118C58B3886EB62C0196F4EA699A3916909478D3660ADFA102E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:31.294{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:31.484{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53972-false10.0.1.12-8089- 354300x8000000000000000399085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:31.453{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53971-false10.0.1.12-8000- 23542300x8000000000000000399084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:32.546{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F5626376C0211E938F7C37225431D2,SHA256=831E72F487267725BA6744F29202DAA40742564C37C3C0FF9317C7CD98DDFFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:32.303{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E64028C13044D10CF24AA32E5CA609,SHA256=515C1DA907461685EB72FDB967B807616C633021CFF54DB5189CE7CCC4C5EF88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:29.632{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:33.668{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC343C66E70FECD618939E216869753,SHA256=516BB021DB66514EEC23218C1603913D3308C97C9807BE80A070BE06559F65B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:33.981{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=916C7DF7E4CE5991B384A15D71F48F5C,SHA256=A495A5A5E706FF6A6D3EC61895275403A7D79619D1473A277E8CB0A135F97BA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001454422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001454421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01510b62) 13241300x80000000000000001454420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77199-0xf766e8d9) 13241300x80000000000000001454419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a2-0x592b50d9) 13241300x80000000000000001454418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0xbaefb8d9) 13241300x80000000000000001454417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001454416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01510b62) 13241300x80000000000000001454415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77199-0xf766e8d9) 13241300x80000000000000001454414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a2-0x592b50d9) 13241300x80000000000000001454413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0xbaefb8d9) 23542300x80000000000000001454412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:33.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EF30AAAC109E3DA29EF83F256AF1B6,SHA256=F924C3782B806F692870B842C3358435EC0087E356160404505E7BEDEBBD4D8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:30.032{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000399102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.920{7F1C7D0B-0A2E-60E3-A70A-00000000D401}20961868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC984F1D58B6206CDA0BB3ACCA19792,SHA256=5D7551CE73B33B0A121159E6B34BF28ABFFB3734B45F753D687B3362332FC53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:34.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B753EE2EB5CD86A711ED1B0C755C0A7,SHA256=E78C7B33F437B80C4EC111312A87C7A5853A12F3E3CA3EC2B3EE7405ECFBDCB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A2E-60E3-A70A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A2E-60E3-A70A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A2E-60E3-A70A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.624{7F1C7D0B-0A2E-60E3-A70A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.779{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C38CDE1DABC6723419E3E9E014057E,SHA256=0DF32ACB2A72389425B51EAAD65D9C8B5A0F2B589EC4E3AABBAFD87CDFDF421D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:35.363{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51205C494B02383500997C2E4EF70EDB,SHA256=2579CFC168BF6DBA07F1FF03601D08B63391E9BDD7BF753EE55B498FF636BF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE7EB48043686940942235A31386195,SHA256=B67A6CD2E30742230A60653C6CF695B2751827C58929744C5050A93D50D84ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E924BF87336752B52DDE092EA7193B2,SHA256=4D75E8F84FF60465C1908B384675AD20ED55CEB76F531165170B99C19CA36204,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A2F-60E3-A90A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A2F-60E3-A90A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A2F-60E3-A90A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.624{7F1C7D0B-0A2F-60E3-A90A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A2F-60E3-A80A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0A2F-60E3-A80A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A2F-60E3-A80A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.124{7F1C7D0B-0A2F-60E3-A80A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:36.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C7544961FC82087235A3C05725E19E,SHA256=09BB9D17814EB24A06DD4E2E8B1D7D7D65AFC2FE9C9B1E849E83F002505A2BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:36.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3979413A45EBDEE6971A7A4E9FF53D32,SHA256=A51F0DB071E61A91F0545F72C43A3787388942AE3468063BDA95C65689CF8717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:37.414{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA63BB04D89E9314C84CC6C8A515556,SHA256=734B097294EE73E21F6099F65D1D1D8F4FEF1B2EAE94B2739AAF0FF60F7348F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:38.429{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290191CED9F70E32D86246E20796F5A5,SHA256=E9D2444A0698C03F444AC4951150C11DDB974012C48126571D0B3F5157F08469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:38.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C745C401391CE9E6282D0B31F50056D3,SHA256=A25E21FB3E15913324997CE2D793BC1008965FAC2A95E49F6805D52799C86D69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:35.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:39.443{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA1AA4FDEE90C9FD323D42AAA95AF2F,SHA256=69976EC4F9286D1BE635FB733C359DAD7D76F1332CD982BE6EF99683E3461345,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.826{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.624{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.420{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000399148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:37.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53973-false10.0.1.12-8000- 10341000x8000000000000000399147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.124{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7D2562DAAD0151F6DEFDE48DCCDBE5,SHA256=2C302BB22D8441B9CE3372DFBCE0E661061C96A2C701E658DB8CF05DF8C96B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:40.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654F9E04BBB25787B91EDA1588076B07,SHA256=CBE557222C5D04530BF21E42B92B1B57552DC477879997DCCAECAD0E07CB5D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A34-60E3-AD0A-00000000D401}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0A34-60E3-AD0A-00000000D401}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A34-60E3-AD0A-00000000D401}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.968{7F1C7D0B-0A34-60E3-AD0A-00000000D401}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.483{7F1C7D0B-0A34-60E3-AC0A-00000000D401}26288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE7EB48043686940942235A31386195,SHA256=B67A6CD2E30742230A60653C6CF695B2751827C58929744C5050A93D50D84ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60DAFB6B4E963BD9100EECCB4F1DA34,SHA256=0D91AEBC361304087B7A203568792AAAADDE45F02FC33014801DAF7735595111,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A34-60E3-AC0A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A34-60E3-AC0A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A34-60E3-AC0A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.296{7F1C7D0B-0A34-60E3-AC0A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:41.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483218A8F8DEE54BA607E3BA9183EC90,SHA256=83759B4030A01EC417F887332D8BFB7C298890579B72F07ED3286884EE288EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:41.483{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8B420FE84EBBD80A059861CEE56AA7,SHA256=1A0B2A330C7CB2519228CBFB6E9B34066E457F1DBF50DA045929E5514CC170C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:42.492{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3F95D17E45A9552CC23F8F13472540,SHA256=C6217BDF1C18BD4BA2FEBA702DA8E7C3C530AB78BF376F46C039B27A4CAD0E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:42.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECF14A726763E1D4771DAC124679E3F,SHA256=BC18ECC15676F092F9D6F8CD60E379B8E9CC07BCC3094D84236F90944F72CEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:42.201{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D6B0EBB8B521D55A23DA6C613CA8E6,SHA256=350F1026F0A0624E8D433067044C37110B9EE3AAE1AAF4B4B34F769D30A6E334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:43.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324D299EDCCD31C6806E4629B44B1822,SHA256=49A50178EA5F49871712F42ACDF26FFEAFA420428859035055E687A9FF5E538B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:42.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53974-false10.0.1.12-8000- 23542300x8000000000000000399196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:43.608{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDE5BB301BFE008AE5AF5DEDDDE8567,SHA256=DD7FE5BA8DF5E4CAC76153A050E55FB3B3D01A2176D80B6E3AA1A8C19E0042C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:41.638{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:44.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772B2BC6F010FDF04E5486F78893724F,SHA256=341929327920988D1E50FBEBCB82385BD9D448F715548BAF3AA0F026DBF9CC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:44.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287211F062E94B8E856513FEB2BCDCA9,SHA256=C0F4B69BA78F5B2D0A8C0EA845D4299A8E878595AF0FDDE3601C48BB17380D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:45.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3367306807715C8C1FCE03FD75A305D,SHA256=1A1C0ABD3EADB69C1B6240C0DC57F1A69C558AEAE87CA955B4F776D8A6395D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:45.540{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602ED9523E74CCDA332FA77A9725E300,SHA256=DC30A153A6226AEE32EF9FC64E4783C6A2DDDC1A2A5A00625D4DBF1E2EDEE09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:46.904{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C6F3BB7ADA88FBA7DFA312423BB643,SHA256=ED9DE8F2767FD2CBBB7FF0D08719F9327576BA64BC4168EA510C60D33003F9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:46.570{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF8E956F02E1662E0214AA803295E26,SHA256=FA1BBB5CF7745E1F780AB1D8820F718AB3ADE4EFF806171BFF7ED1C064E75990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:47.587{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72761910EFF49F6ACF3A7FE61D56772,SHA256=66BE4442467EA6EC34550C21B92A02EC4278761F70B1EB200CFB360568CD9635,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:45.961{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-31683-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001454440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:48.604{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78D091DDCCE7DF9B7AFE542C84FD573,SHA256=B6599C3F919FA19FDC0D814DC89F50756191A6E22208CD24D149E4660CAAED66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:47.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708E100407476B673C4EB5A6625469EE,SHA256=7B9E9D9D575DB17D84D831A48FD8EC9242C0450D86D523BF8D3E5D4F6992BC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:49.619{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB55EC258B0A1EB2901772A4DD468D0,SHA256=EAB8C762C547670F76DB389AB4DFA60BC689F10ABC61CB5D2D4A4351A184477C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:48.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FFB67F316AB0D863C3EE3B644E7159,SHA256=99F10DB4021441DC3DAEF2FB0C5EDA16B12F4103DDE9D500E44BB88A47BB969D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:50.633{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B0A795F848B2125C019643648E4810,SHA256=B8DFD4A8B332367E6A81B63D9F3D5A96AFC663511BB6AF269F49480174068931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:50.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF7D70243D95F4919CC56D0E34AAACE,SHA256=D4A4B9035CCB276A04B831F127D3156A59F40362793D83B7D0B821E326B313DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:47.634{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:51.663{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE35F223E2816CFE29C1B6B21661A65,SHA256=5805D14ECAFF7380112E5BF2B0CC81B77DC5AC337887BBE79C15004DB2A5FDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:51.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914329411F870A886CB2B16C648C06FA,SHA256=28F6967A83E651C4B8E3BD601AC367D11A05FD1CF930C83242DB063665E73CAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:48.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53975-false10.0.1.12-8000- 23542300x80000000000000001454445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:52.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EF95657890D832087776E5AD824B6B,SHA256=1E06CF4AF68BF2810550F41CA9C91E0BC012DEEC680810FCF3E964CFE593DD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:52.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552D353A8AD384B009D320E436BC812C,SHA256=5024EF8A65780C1D027FC942C0106B6888696D9F785D098A1D1200D0C85B65F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:53.698{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CF8EED43B7EA507D26AFECD9BCC28A,SHA256=95FB084DE62E3340038C55A6E5A81C10EF456F947C5E3B85F1A07372B9F3764D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:53.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD2D47AAE6B621A77D1DE600D3245DD,SHA256=7F15CE33E3F717A02108F7C39564680E82BC149907E8ADF1A102A9A21287FF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:53.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D5946237EFB76B87B9BF2BD280AF502,SHA256=C8FD71BDEF165800C3CEEF56291FB468B13D5AAB00C114286B96F5D871E823CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:53.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=309C16BD029E05677898B0FEEB6F3494,SHA256=21A3616A5C7B7D7ED3ED0DB05B51CC94FC6004A847424E1B276F25DCC27F4263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:54.279{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CE1A73F8C5FFF7E8A5959B0B4E7F5C,SHA256=EAE84DDF17936B116C0310C7940E63F3CD2285E4F25654A944FD8AB6382FB7E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:54.712{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235A8CBCCEFBEC2B026CDC7AADB53734,SHA256=51E29E833800C4B992ED7CC536A22530E977CEF62D5CFEA4B05F8FF28926983B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:55.727{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B019DEEB81B48B495D1470983F589F43,SHA256=057E1368E5ECEB47968A28CC4273EDC500BC5D00E8AD567FF284EDF94B89C060,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:53.627{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:55.279{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D293FFD74A7F388A73AEACC0913D2E0F,SHA256=A4F84CAF35AC4F53DF6E649D3CBB18801B0183095ADE2D31E0E14A3151A06D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:53.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53976-false10.0.1.12-8000- 23542300x80000000000000001454450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:56.757{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7166457BE5CFCB9231B4F0CB7BD434BC,SHA256=A4B4861B362788B3BF3343D4188C2275D9A1CF5606BFABD6AA5BF4BA86664753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:56.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70106CA203E9D108FBECEA867D41F073,SHA256=64F777E6E0F5355AEA414B380CDAD940DE5F96C08AE08594685FBFBFC1277A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:57.773{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43216FD2779F6B3C316A662B5D3440BC,SHA256=E04F2DDF2C5C4C84EF2D9F5FF32FBA64ED2FB73DD8F9CFA79AA3AB077A12E0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:57.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0DEAA2FF5D427BAA4F480FC3103C15,SHA256=75E69593561AD3A69B23F5D3AC1B2575958B31DD8D9148667E99819590D8F886,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.975{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A46-60E3-3F0B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.973{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.973{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.972{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.972{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.972{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0A46-60E3-3F0B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.972{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A46-60E3-3F0B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.971{D694AEB8-0A46-60E3-3F0B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.792{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6698332F02527CB2C27236121906D16F,SHA256=78212888769674E7EC0D9182196FBE6FFAFA73C5FAE4263229635C4F1CA62229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:58.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C147A9A80785DAC7EBD7C2A7EE8258BB,SHA256=C1C66EE9C8C24DF6FBFF0453EBD1DB20D21DB55839CF3BDF50F4EFF1EF46FD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.806{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96E94FD5F12791918E30BC1D96569A2,SHA256=CDD16C4346CB0D060B0EC5542712AB3758902408DD3F7B1F8D23BB5EF3083244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:59.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF991E2ED8DFBD9379FA19147AED89CA,SHA256=6370D9C3DE87F659C6CF4FA5C283D6B137A557AD5E7C6098F6E1723095786ED9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.691{D694AEB8-0A47-60E3-400B-00000000D301}70444620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A47-60E3-400B-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A47-60E3-400B-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A47-60E3-400B-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-0A47-60E3-400B-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.821{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6881676764768761109FE4D13C3DE15A,SHA256=0139A88E41753653D5474EAD5A62187DC8AB725CE178D16E794D66DEF9974E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:58.454{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53977-false10.0.1.12-8000- 23542300x8000000000000000399218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:00.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52356AA3E2FD4ADE85506DE2B76C3FB,SHA256=69A40C707C2FA01267C606C0DE9339097C1ABA1BE6EEF9D096892F43683D891C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A48-60E3-410B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A48-60E3-410B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A48-60E3-410B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.191{D694AEB8-0A48-60E3-410B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.053{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=574982A3A9C9EB4888BCDB6B05FC09FA,SHA256=70F998C8818493FC72BAC1AC28746A20B844C9C130D2843A5D377B837EC3C199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.053{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A456DC7F66DE187253374DB693158822,SHA256=8E0EFA6E68993D98E47A931B0969D12863247083D7FF998A975C014146AF5456,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.616{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:01.851{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD7EEDA0AD878E1F967A71E3E68F798,SHA256=BB91A05D838C98E08CE1D26D02087AB4E0F0F65BCE5F6012ACF3587BC619CA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:01.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA93262429ED501EB7B04CAF9BF4B792,SHA256=5FA7FA5BD83DC3A12CF02EA8C15C3380D58C8F0FA464CE7030D5C2630EC7D203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:01.220{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=574982A3A9C9EB4888BCDB6B05FC09FA,SHA256=70F998C8818493FC72BAC1AC28746A20B844C9C130D2843A5D377B837EC3C199,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.987{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.987{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A4A-60E3-420B-00000000D301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A4A-60E3-420B-00000000D301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A4A-60E3-420B-00000000D301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.935{D694AEB8-0A4A-60E3-420B-00000000D301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.872{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60F9C0F113199E46C4646E453221D7B,SHA256=AB36FFE438D479F36132A54601B8B6C480D79B6059E3D024945EF2D1D7878ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:02.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974A53E8DAAA4ABA4C8C311ACE60A87,SHA256=9D3B269502E50AA73F76154E7E4A57A5C2BAEB52949A6A31D2AB4C41C854CC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.950{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C6EF024B46A49FF0607FB20FB928233,SHA256=9C79F1B934BF9BA14937C13038DFC44445684DEC41A9157CE2FB8A6E09E87E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.887{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0001BB435553F3884C2BF3D058F8495D,SHA256=C35C9393BCC19BA9CC7BB3748150E7B3849684818DA0C80BFFA0FAA1CED933B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:03.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9BE9539D3AD1A8E8DED1D079BFDB5B,SHA256=3BAF70B187F04309A405E646ED50D72BB934E8A3E83DC5EBF17D9F025A632E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.734{D694AEB8-0A4B-60E3-430B-00000000D301}63164484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A4B-60E3-430B-00000000D301}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A4B-60E3-430B-00000000D301}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A4B-60E3-430B-00000000D301}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.604{D694AEB8-0A4B-60E3-430B-00000000D301}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001454496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.071{D694AEB8-0A4A-60E3-420B-00000000D301}54882696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A4C-60E3-450B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0A4C-60E3-450B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A4C-60E3-450B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.934{D694AEB8-0A4C-60E3-450B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.918{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D306D491726B1ECF1B104529E012449C,SHA256=94E515033BF04D605FDD217290272545473C78BDC92E80DFB6A0A333FE42B8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:04.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7A2DC5590289F881A9296EB38417E7,SHA256=F427754A8731BDB25586683E39C40004ECC650AA8CFB641191A4134F8E2D5EA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A4C-60E3-440B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A4C-60E3-440B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A4C-60E3-440B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.288{D694AEB8-0A4C-60E3-440B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:05.948{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BA79E3F28DD512708E071E115B98C5,SHA256=6B15124FA767A877B1079704A20A1C0A43B8D2CDD427CA9A9D069CCAC190736A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:04.423{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53978-false10.0.1.12-8000- 23542300x8000000000000000399224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:05.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB86858A5A84300B7B1D8992E033EC06,SHA256=CA042480F279162D9F4CA779BAE53CB475648FFC5598011916AE4B4B75BA8DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:05.317{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE45D216BA5C490C10D4296EF45EE53A,SHA256=65B19A02C598322D63902B183E98C28A5AF8241E01EAD25A65CB94B1F5C2CA07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:05.086{D694AEB8-0A4C-60E3-450B-00000000D301}4632348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:06.966{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363F0D455D2667E44FB6351A513BEE4E,SHA256=81D7DD138560A70A4B9EABBDE830BDA62FF3C9C4C5DB4A1F931132E61A4D0A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:06.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECDA98A3F9E72FCF71E258DF3B6731F,SHA256=638A2C8E446A0AD8EE07B44157001F3897904A08883904265F47E56447AA8CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.649{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001454529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.382{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60982-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.382{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60982-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001454532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:07.983{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B62C5251A9D6064794D56AAC05CECFB,SHA256=B1D733939743B24D17FCDA91950E5F4FA008C55653CDD3D764F7491502749AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:07.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CD0D6366D0A5D0E08FFE31C2361615,SHA256=225DEC4DA757B1E35B423E3210C392EE48D6853A7D37E8A338321E2E9F0E9A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:08.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AECF0CB7B4FD0D829A9A47FA4508867,SHA256=A62E753FA7B52A064642F58D4A8510E7B326F4DB22E9A7C25E53B2D1085020B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:09.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA26110A43E52CAD5E4FDCC261EC3629,SHA256=85D30146CA091E8F8DBDCE2BE0D9F5C782DECCF401E55AA3FFE9BD87DC71F073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:08.997{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1250002E4ABD413E98FD44F2F6C0CE4,SHA256=B5E6DBEC5C86536A49E3541D306F26C52A74F8A47D373860CEA265B30ABDF706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:10.592{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E51F8261BA08C6A384604940DF20D3,SHA256=949339170A4D9F781B60E3C1D2DF5E4C3C0A23E45F6B78B274C1A7F56CA72AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.012{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F8B3875B73DF9BC0776FBB03987E2A,SHA256=F6EFEAB9D711363B83F38BE4B69A4C6BFB905683C7ABDDABEE8F68CA72A18F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:11.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B019A1FDF25128E0608541C870372A33,SHA256=90DDA9F3058DF7BC2B8386AD81D587A265DBA5A2D597400A914049EABE8ABFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:11.210{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D9C2971B486D3C3E44A82B42B24738,SHA256=4F304DDCB65287E14A9A881199B6BF59CCC0CD07865FAD6256BD7CF568673CE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:09.423{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53979-false10.0.1.12-8000- 23542300x8000000000000000399233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:12.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E1C18B1EE185C3F75D94720CEA5E43,SHA256=1AC00C5D7EBEB6D99523931F36E3C4E67EA1F5EA0954867D1F3A36582B0443BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:12.293{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ED7148042B4F6D66E42EF077957012,SHA256=9FF6CDDC135F0369A420CAC7579B0D6413A8953A30FBA782BCD549BAAB8DA744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:13.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC300D1B252C938FA00209C52AE1A729,SHA256=BBA6548CC78CA29467EB176390D5ED3A1FFEFA057B2340D3AB0CE57311DE598D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:13.308{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBB146229295734E1093A40385B6066,SHA256=B94FA3E99FE99FC83ADA6BE27BE72E940FE079A79C62BCC39357E5D90D0E85D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:14.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DED4FBCF52DF86A60B1F4BC29C6932,SHA256=A4BF3B551B9BAF399A9E0D7FD85B77C3DDE399E02CD6E5FEA357B4332E11646B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:14.339{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E202D7931DFCD52E99D17AC53CF6018F,SHA256=EE508065BB04BA753F909D1A1EA82EEB9157F47E612941440378154E81ABF8C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:15.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A86904A02F3A5A0C9252699D5D87B6,SHA256=108DF26DC866DE66F64B00CB6FAEDA0CD3312A0B64B68B75C677DA830306BD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:15.375{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A822EC2F228057E35B0FEF546B7F4D80,SHA256=ECCC5111C19B2A74B5B9EBAA42840E59B0B61D4CB5499EE0AB5B74253626D423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:16.405{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B96FBAAFD76AC554F1A3AA2BAE5F12,SHA256=23F8ED149A7C0A02E9117203B983E976DE9113495A2A98A5C64CF3BA7A0AE6AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:16.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E40283CB3593AF4F1CEBAE3BAA4588,SHA256=9172782E9DF9B9DA4D88E0A25F6F67833E2CFDC109FF29BB76634C2D7716D27B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:15.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53980-false10.0.1.12-8000- 23542300x8000000000000000399239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:17.654{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3F17E4A950B15CC33FF0506DB1E80C,SHA256=93E66D2EDDD354A4D37AE90544BD992F5460689223E449D5BA10E12F806D4FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:17.435{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1EE4CD719D9DF8628F4D56D18F5BE3,SHA256=91FD9410B86AC47F0193660DDC7C4F75A2583D86A99D548D9576F0281C254036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:18.655{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6520A46B52A080117711F53760B4F979,SHA256=69EC3F341B72D08892192AB008B1EE77FA1AB50F67DA2C11E8B970BC92A4ED06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:18.451{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21427BB08F8EE6214F49540018B0C81,SHA256=485C58470292E9CC6195A9504D45D301CD9B740C024C7BA279E38A39CBD264D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:19.686{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDD04B8C186490CF0A3EFD667BF44E2,SHA256=5D02D6F404BB52097CBB5FF5C498DD78CDDD7CD87A3FCFD407A3C54C33025F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:19.470{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93110867AC31785E851192D2140E4686,SHA256=0658B34A1C650420215AE1C968D6023453ABFAC8890656719E0E5C4C9189C5D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:16.651{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:20.485{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBB6071EEBF807186442EE719952DD8,SHA256=81361F55ABE63EA43CB3AB5C4DB38CF129C3DC2EE4C4762D28A387AA03FA25AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:20.686{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADB8C4236EB66FEE41C51FEA2B85F9E,SHA256=D2FA82C7C55DD37D9D6881C96BCC694BCCBCA8B9A5C9E8F8610BFF08DC8775CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:21.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A993E5B898722B609D8C39F57BDC3631,SHA256=61C6EBE7E7283A2D35880813830B6C5C8EF48AF3F046EB94A3ACA6097D23C629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:21.500{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2496E6488E941D7CEC0D261456D5A8F3,SHA256=01B355AC3CFB69FD035E1063BEC9E5E0D50A94F9B5863F335302165BB61BAA3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:21.408{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53981-false10.0.1.12-8000- 23542300x8000000000000000399244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:22.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683D292755B7918F45AE4FAB878A05C8,SHA256=EAAE354CBCB765E844CD32F60AE3F879992F06134EC8CBCC73F9166D9A3C7660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:22.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8DAB9A78DD64EC37588797295F854C,SHA256=5EBA7754D6AFD7C259098BCE65AB67FBCC37114DB9DB23147FF335DEE77FA8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:23.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DAD7AEBC676C0B1580E4612847F94C,SHA256=1D1A9C820D7196D8AC8E5030965D6C28BF3656DC596B71C284B7EFE026DC9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:23.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1EC954D0C4FC3408BB17F1B516C969,SHA256=FA605DAE6A18D3E6BF3577844C35F3A77CDC5B2B103F160A8784A8C1B808F52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:24.546{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F2CA4AF59081EF5031E37DD0D41EB8,SHA256=139B42D33913EEFB1E2048A8A1C4CDAFF7228C7595174EC42B3086B0D74452E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:24.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D99751686F3A53213A6D9EE4D518F7E,SHA256=9F5A798C50CADA8B3BC389CDB752A1F490ABA54A77DE6232C180E706C38973AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:25.565{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3347CF5DFB45B06BC94E56F5729DE1,SHA256=050A923873504A0D63AF72F010BC160D6C120CE22FB9315DAE7EF5921CD30EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:25.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558C1069A09B4014D0399DED6B389BD8,SHA256=B68B70304E93F726F68B749941BC60C22DEB679346EAED71DF3701D8D24EE917,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:22.661{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:26.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCDB46E8C3584B120E6DAC209A8A57C,SHA256=78FEB57C8B1C5010BE20D5F32BD0E7FA9F3E02F9B64B56FE403F2EE06F11CA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:26.580{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E035DB983EF50042E4C683B795544A41,SHA256=71FD10F9B39CC84F0EA2333291E620E6622B892B2D6996BD8DAB26BCA2FC30D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:26.373{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A8635636B5C7FB65A03D2413ECA00D56,SHA256=232D04B8DCC6C84C8ED149BEE12752AA3386B99F1F88B124C09176DFC0591320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:26.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8ED7B5579D8D41DA371B7ED641A8F7E,SHA256=650ECA7D504168618A23AFB998C4CD1D61C3A55FA091FA2E042084A02BDE5A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:26.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D5946237EFB76B87B9BF2BD280AF502,SHA256=C8FD71BDEF165800C3CEEF56291FB468B13D5AAB00C114286B96F5D871E823CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:27.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C8C82F1E0242379561FABA47F04328,SHA256=3AF384331AB8D47F7006FF7B805BC4467049F1F001D551766E415D8F4E18ADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:27.626{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB51856B5BA564F63E21744D7D873743,SHA256=1FD35CD4F04C28057B628585865D789F90F12DDCB2D0BC7F230D634036A1E3C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:25.175{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-62471-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000399256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:28.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D176183B879EBBD44A16827495D61FF9,SHA256=4AFA962441C7B472E492ED02F7ED390BA1491B5DEE0B0CF3919432A00FD4F3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:28.645{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8469DB304A99F025416685D816D5B4,SHA256=2D148C90AF721539C7F36200709EFFBA792DE87A3EA1AD98CA738A13A1F6251B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:27.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53982-false10.0.1.12-8000- 23542300x80000000000000001454587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:29.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D082824568A32F0E8B924937B47AB01D,SHA256=DF8C13F2D2720701B5FBF291ED5D8A75A9F06D7034924FBA912B92A07DAC1874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:29.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2F9F45936152455EB77939F1F6146D,SHA256=B81A8990AD998E7BCCFDEBD012540D4CF6247A8AE40E2F2B62E2F86FDA4481F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:30.663{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DD892B91B91DD401FF831B510E9584,SHA256=0E3F2F91DE4350F2DD1BFAFE0A9D230D7836B845F8F525EC73AEAA126ABF5677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:30.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BABD9AC824FE46094B31701427CC42,SHA256=A9501ACA12F730FEBF0E914E35F32FCAD74106633A87951559029B10C319271D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:30.625{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:28.655{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:31.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619AE809D65887C43C3A2875F4C0A897,SHA256=0314EEF032C97E797704B89CB5FC447674D7C85FE3879B8E4690540C7EA36F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:31.677{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F948FACFD5E3EF9F99D81AA231E7AE68,SHA256=94B9E7F50A9A7E0E55FF350FDB944FDC7F7201FA09E7A79D30999FD5559FF2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:31.311{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:32.904{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C7C58B2ABDFD70B6FB22644AE5B285,SHA256=EEDF793FE24B83ABB729292DF3F3CF5393D6E47B95D923A6232DE1C1E8331EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:32.692{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C221D250ADE6DFAE36DBC9E4BA45A2,SHA256=D48DD8B722D7FFB020D287DAE641D1221B26CF740B66B8FEC612596E3558D8BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:31.502{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53983-false10.0.1.12-8089- 354300x80000000000000001454592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:30.057{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000399264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:33.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626B11B41F355E070CB9044845D5B3B8,SHA256=C159AA5C8EF018937FBF45224E2C7CFA1574F136BC0132BDA3B707CEA2D787FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:33.991{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C13CF125B081EF620AB5FA09CCC047FA,SHA256=027462433646E139696AB3251D50C77C28D8281A894D6570731C6D7B6EC4E183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:33.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC1661C0E24DCB3A43B561E92DA348A,SHA256=73BE410A9459F6BFD322DF2C0DCC7168FA6141246A9B7C5EBD1FA18FD01DDD91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:32.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53984-false10.0.1.12-8000- 23542300x80000000000000001454596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:34.742{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AB8BCD1BDBB80BCCF22CE295B95542,SHA256=B9A61B040538CE2CA8C0F2313AE3FA36F9314155D1EEF52600E884985DA0B800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6A-60E3-AE0A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A6A-60E3-AE0A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6A-60E3-AE0A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-0A6A-60E3-AE0A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:35.758{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED1F6D9BAEDEA2D534F9C1C47741F5B,SHA256=1F886A61BD17D0A487FCE75C31DAA6DCA667638FBD037A7B006D18161558881C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6B-60E3-B00A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0A6B-60E3-B00A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6B-60E3-B00A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-0A6B-60E3-B00A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193FEAE7F20101672FFB6D93AC964D16,SHA256=6DFC03021EEFEC70C11DA6EF8E7269E671E8677ED8A7F55496ABC01260279F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8ED7B5579D8D41DA371B7ED641A8F7E,SHA256=650ECA7D504168618A23AFB998C4CD1D61C3A55FA091FA2E042084A02BDE5A39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6B-60E3-AF0A-00000000D401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0A6B-60E3-AF0A-00000000D401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6B-60E3-AF0A-00000000D401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-0A6B-60E3-AF0A-00000000D401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.106{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FBF9B2590B33A9308F848E63B350CF,SHA256=2EE8E056FB0FD86CD604E5341F571625F944E2711022FD68288C3092D699E072,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:33.669{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:36.788{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F41B2B9014110C7BD636478F4C4709B,SHA256=1413F258B43F9D1927A8AD6499B42A043C401DCAA30A1DC027A1683967C1CCB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:36.186{7F1C7D0B-0A6B-60E3-B00A-00000000D401}38322884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:36.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2947654619AE2DC67865F7F165803C,SHA256=B80995B43F3BE3639C005A64D2B6D73D036690B9703D96A1C7364A60C40538A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:37.818{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C9B7C5395C719A181F0B0B386ECCBE,SHA256=726CC22A62E597921930E5787BF0ECF232188894901638A84EFD1B7EE03A3305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:37.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB63EF399B709479AE4670F34BA1C42E,SHA256=DF847F49DF44B55F1D75DD69E22E8682FB0B6138463433C94333A71312EF9FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:37.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193FEAE7F20101672FFB6D93AC964D16,SHA256=6DFC03021EEFEC70C11DA6EF8E7269E671E8677ED8A7F55496ABC01260279F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:38.834{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2C146AD5C0FCC2574CCDEFDF9AEB4A,SHA256=52239D1E41D0809F2E74AC820107B5E5144DD6F17BA9536E9FFD2762328D8DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:38.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348AFE660C4AB8973737A17A3E102E56,SHA256=977C4A7C01D250089AFDBF8F00E8F05EA9C34D90E244CAB352E18E1D04F12558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:39.853{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6A077A26D9A9D886D7C02C2E87E44A,SHA256=D9143F347808FB425923F7050E4F050B19D20A1BED8045A30CD2287AB50BF439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.780{7F1C7D0B-0A6F-60E3-B20A-00000000D401}24323252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6F-60E3-B20A-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0A6F-60E3-B20A-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6F-60E3-B20A-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.624{7F1C7D0B-0A6F-60E3-B20A-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.358{7F1C7D0B-0A6F-60E3-B10A-00000000D401}18762324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D6D6F2529F51D5F6508676F9DC5549,SHA256=7AC957D189BF87AE4CCE646ED7E51DA6A48BBA20BA7DB03B8305D5CE37893085,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:37.424{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53985-false10.0.1.12-8000- 10341000x8000000000000000399324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6F-60E3-B10A-00000000D401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0A6F-60E3-B10A-00000000D401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6F-60E3-B10A-00000000D401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-0A6F-60E3-B10A-00000000D401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001454604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:38.701{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:40.853{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6D18B986863E6992DC3DA2AC38DC84,SHA256=3ABABD92FDA4628A528777522B0882764FA2D5FCE947BDD2947CC1618B2442D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A70-60E3-B40A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A70-60E3-B40A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A70-60E3-B40A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.968{7F1C7D0B-0A70-60E3-B40A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4323041A49A62EDCB2A1032721371B16,SHA256=2A0335DEAF2712D7606692F999BE57C98E2AE29EB5875CF628459530722EAE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5288B7C48AEA123C17A7B339E088791D,SHA256=B82C82DF2C8A5F0FB58C5D6F6E67C6325A8F0B78334B8A91DDAB17C26D081291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A70-60E3-B30A-00000000D401}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0A70-60E3-B30A-00000000D401}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A70-60E3-B30A-00000000D401}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.296{7F1C7D0B-0A70-60E3-B30A-00000000D401}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:41.883{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8233EF2B302BB3662C3AE394AF26D4BD,SHA256=0F44D3D4EB19E867F8465E5CA5F0BB4760BE2B4CD835AB5191C5E1CDAF0667FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:41.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB35863D80482F9A34CEF6BC568EAF54,SHA256=44A367953F50BDCAC5D36664D60FF5FA5026100D092A16A29B4A52B8A8085ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:41.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E193B67E6512FB15FC6F5EEB07A62896,SHA256=6FC58EB860AF8061DA4BFD1D75A628FC890A562CA407AAC31FCC5F364CA72ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:41.155{7F1C7D0B-0A70-60E3-B40A-00000000D401}18603640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:42.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D73A8BFEC2B2FA93DB72B6FC70E814,SHA256=7EC5BD4C9A492702C6258FD300D1848C4BA5C041B74063BDB32A34DC0A680FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:42.914{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83022F8A4CE443CD9349E6A2AAEA76EB,SHA256=94AA91FC797E6473C7C880E403205FAAAB5E5888E761722B3A903B529F2C5809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:43.933{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E24B1100C44E5C7C2E89D85CA210EC3,SHA256=2EF2F9800B8BD649000B8E610C5660403D3C7632CC85D6E818E2DE665417782D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:43.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0EBFB0A0518A22988FA0266D73BAC9,SHA256=83599CF0A9038D2D1F948310F5943AA2510427AB953B506754A03441EA774A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:44.934{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8558BC2918134498D2FBD7CCF3D9A9,SHA256=53C9031C9E332AB26763B7C7E84027DA6F867E6F98EBEE910FFB195ED8C3EDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:44.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC3E503886DBDABE4F5A29722728BDA,SHA256=EB76B2877371687AA2CC095732B5CB287F9ABD61DCEEEA1B50FB29B11EA068A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:42.440{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53986-false10.0.1.12-8000- 23542300x80000000000000001454609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:45.949{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F7BB117CD8CF9B9B974C9CC05EEDFD,SHA256=887CBDA5BC75EF4998DDD7657480BDC601B15A2E5F55EB5335B8B8814814794E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:45.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E577C3E760A77DB12EB25CD69ACE25,SHA256=7293D796802218411122B67569AA39220F6B1C066749C9EA5FD0E7D436087BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:46.963{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2749102052C82C542A0F91B056EE21,SHA256=ACD659D2C721944AFA19ABCBA96FB557D241F05C4394EF9F5990DB3A2E9EE10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:46.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6B54F6D86DEA4F3F422CAE660E6A39,SHA256=CF715A0D6F6BDF2317FF25FFF7A2465167C7E9A892116C491F23B1EE5757E797,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:44.475{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:47.978{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80153B2ABF8CEBD04AC822AD4E1FF611,SHA256=F87432850CCAE6D983749C1BE6DCFF47764C1D33932AD5D79B117C61B12557E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:47.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB724D0C80CAE4DD3FD08FEA3B4A6B42,SHA256=CF85B3F8D34D47726E288D241BCA3EBDBFDA25329790C089733A73D4806DA7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:48.992{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0B5FA4B0B25C159E2368BD1400FA60,SHA256=1E119AB69F122EA6B72888E0ED7FA21CA7F53110600A4EF08F17FDD4E2DD31C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:48.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EB9A6971F588F2D455354E904F0A57,SHA256=E6FCE97A4C51114BE352C1182C26F6198D0FF3EFAD847B3D96FA0B0F87410347,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:47.471{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53987-false10.0.1.12-8000- 23542300x8000000000000000399382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:49.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3BBE1311C4D1E512454DB37AE1E91F,SHA256=87BC0D3FA3B0ABEBAC662FBB7F56D692A3BE4AD2B555BB4DB934108F4372AD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:50.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF033C2AEF4369EEB398A3FE2950CC8F,SHA256=4FED185CA7978064BE4045114156E3C81E55CF30D854C7B8F487EA0225AB6DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:50.006{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5643572D0471CE1A3AFF1D1CD973DCE6,SHA256=0D38AADEA0747ECC230C3C11615ED3647FE32600EEEFBCFDD933753F292E1F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:51.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3660EAEFB99499FC26306114A05B5DE7,SHA256=66E874A43A0C9B21C048D6345027D9E4887D3F4212CC5F39AD1AE94BD22E1D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:51.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A488A08ADABACD5A08E4572947FE5E7A,SHA256=7EFE8916661F06A0E3494B10B826BE3318D36976638B88AC6BE829B67ABA7AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:52.072{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F317360D2E1F7643768B79577E0E3ACB,SHA256=0A9A91C0CF8F6440617089708A7792466335F19A272E9F86618ED1CCD1B0A395,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:49.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:53.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DB26F077A70120EBD3AC9321103646,SHA256=F21DC4CAFDD8ED4D73CAC9205AA4414111A8941C5143A440D546F2380138AA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:53.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B76DFA309F99D0D4B49DB48C796F7F3,SHA256=F86E41E23507AB6AF3182A4D2988686BE1CB2DCC5CBE48A6BDD8EF900119C5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:53.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C100A9C62E39323946078BB7D786022,SHA256=8E56CF513751E63B3DB6B250E0ABE75A5061447837F46595177E4E2B17628908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:53.102{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476F3F9A62D9EDF0BB63B7484CA9B9E7,SHA256=7D007BA3301DCD02B713ABCAED9C40A9809B6C95B13CF7D81E7B61BEC9BB5F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:50.781{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-10423-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 354300x8000000000000000399387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:53.237{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53988-false10.0.1.12-8000- 23542300x8000000000000000399386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:54.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FA7B8F83E18DF3F8C519B5D36869B8,SHA256=0D0160757B5040482ABCBA1D103337BE3C38FC98578578515F4CFE7D6EBF3AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:54.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463C5A7ABF81CBB723040C1A9F61FAD4,SHA256=66D8F6D497B8E0923FBBD0F31FB60ECC8397E1DF0C438280C3EC16AD89E97E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:55.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1933DB1BB50403299D0B113BA225FA,SHA256=2844DCC18944B0C3CFAD03EAB77C4F46189F15FE2A152AECA2AD5C1B4160963F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:55.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE901D7018E94FB7629224FB1A236AE6,SHA256=7AA38BFD51AA200E386C4F9F1A97D2D51B112A7959C5F7BE52FFBE7D9C953458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:56.358{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77141F1A7BEC7FD017626BF99C424D5,SHA256=3940088D7C057CA885426F6448AE1175860F39136F71416139108F7D08665FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:56.167{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF9CC3625B935088B632A643C3D80F4,SHA256=01F302DFE2DB9167CD9FD4669651FB490226BAF0820E98A1A5F1B524F93376DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:57.451{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5BB0DE8ED7ED5D8F8E51858EE5640,SHA256=35A9948437E34FA8C228C71DA15FC6DDDE3193038C89E01FAD113A30ECA97C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:57.197{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2DF4F61CB11F9FEEDB57EED10EE4CF,SHA256=C08E594DF7EB03B59428CA5E542FC248B2061132B2A72BF31D335828912F9DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:58.467{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DA721957CE9CBEE158593EF2B88798,SHA256=BA88114B34D1DCE433B6D90DC6EB7DDAF7EC147EF834399672EAA1FC5AE61661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.983{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A82-60E3-460B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.983{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.983{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.982{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.982{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.982{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0A82-60E3-460B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.982{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A82-60E3-460B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.980{D694AEB8-0A82-60E3-460B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.214{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4055B87836575A00A54D26D824BAAE3,SHA256=684B8C1814321971E8CEADB33EE474EEEF6A02977608A7F148BA62715C5DFAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:55.698{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:59.483{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A471A56983AA8874380366714BAB553,SHA256=5AAE93A842C1C4DCD2ADE23F4E200474D0E8C1CC463CD6ABEE86208B420EEDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE81C50C3FF12F9433B1496E9A36090D,SHA256=66381D1C6EC88D89C426134555C74A6873631BAE9E35165FBCD22C3D8013BD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B76DFA309F99D0D4B49DB48C796F7F3,SHA256=F86E41E23507AB6AF3182A4D2988686BE1CB2DCC5CBE48A6BDD8EF900119C5F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A83-60E3-470B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A83-60E3-470B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A83-60E3-470B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-0A83-60E3-470B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.217{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B332A0A47B34EF96478470A7C4C37D4,SHA256=48A39E9900A256700E29FB9B81658646381DB811D28F728FCF8CE777A6AFA9E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.133{D694AEB8-0A82-60E3-460B-00000000D301}53645560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:00.483{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51A20A0B4344D84F0C7229F0DA42407,SHA256=27EDFE16346FFB9AD8863C642EACBDFE105C232177D1CD3C6BD1F0CC16078767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A84-60E3-480B-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A84-60E3-480B-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A84-60E3-480B-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-0A84-60E3-480B-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5594F9D068ABC1F1E0C468BE11F2E1,SHA256=16B251BF133E8A4B16A9B005133814ACB078BFD6BEAE2BF45227434C49614051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:01.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969218DF95B1B77CEC80A1DD163C2D26,SHA256=333E22059414746C06DC8B398D750EF33CF3F2E754BA632ABE6AE8FAAFAE3AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:01.362{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE81C50C3FF12F9433B1496E9A36090D,SHA256=66381D1C6EC88D89C426134555C74A6873631BAE9E35165FBCD22C3D8013BD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:01.246{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87D1747384EC9E28FC91543F48A0131,SHA256=17E34293981769013B46DF7F68665122E4F94668F2F03591D09A6573200457CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:59.268{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53989-false10.0.1.12-8000- 23542300x8000000000000000399396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:02.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4C59C73B9D573B80896D3E346FD81D,SHA256=F57C056D1FB78B8871DAEA033AFA047D3A418D34360B90C27D6E3B25D5AD9356,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A86-60E3-490B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A86-60E3-490B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A86-60E3-490B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.946{D694AEB8-0A86-60E3-490B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.261{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36C2049A2A3BCA546EE96E48DDC85F9,SHA256=D747C04E1A0DBEED9FC744207F8D219A5275BD10449AFF4E3DE9FC378659FE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:03.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFB43FEAC7BEC623C733C88C80C3086,SHA256=A296131CBB61599E57D0FD2160BAE01FEA0D0A5F5D2B7F2BCB2B792F9047CD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.960{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47B2741918F0CE57DABB79BD3BCCA14C,SHA256=7331CF813709F3A626A46F72BE5251373F9FACEC364E287D40C902FC8BABB4D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.745{D694AEB8-0A87-60E3-4A0B-00000000D301}27563580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.611{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A87-60E3-4A0B-00000000D301}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.610{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.610{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.609{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.609{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.609{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A87-60E3-4A0B-00000000D301}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.609{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A87-60E3-4A0B-00000000D301}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.608{D694AEB8-0A87-60E3-4A0B-00000000D301}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001454670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:01.455{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.276{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86860B1C23BF565A8CA30377FFDC429B,SHA256=AFD2B5833B905E45DA6FF9C5DAED432F934DCB8245C77D361450F5E54E7D7BC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.092{D694AEB8-0A86-60E3-490B-00000000D301}6036600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:04.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E84249889A66D1682F830B2860A9108,SHA256=FB493F922341F01FA22B6206D6A77E74F31DE0E40F85964445712E7283127B75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A88-60E3-4C0B-00000000D301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A88-60E3-4C0B-00000000D301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A88-60E3-4C0B-00000000D301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.960{D694AEB8-0A88-60E3-4C0B-00000000D301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001454690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.428{D694AEB8-0A88-60E3-4B0B-00000000D301}71566368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8616E2EA9F95572516995E2E0788DED0,SHA256=0C95BDF9450C32B8288ECFDE60A50E8F94BF64D5A27FA938ACA92FCF7232567E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A88-60E3-4B0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A88-60E3-4B0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A88-60E3-4B0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-0A88-60E3-4B0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:05.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911D5C136B1F24764189FA928B2D7DF1,SHA256=A4E061503E071B257EFAE93251F4536BC6DA1056E34C609CAC4400A862A26ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.392{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60995-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.391{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60995-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001454700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:05.311{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540D2591A90FD0C72DF5DB61A919F6F6,SHA256=BB33F7EB7FFAD2F515F0F7268D90FBD1A6260E9F66E984E3C7704FA3127348D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:05.309{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3447CAC1AA12AA1BE7BDF59ADB03D803,SHA256=F4E5E2F244296E42DE61020B22313F8F7C7D608B39FC5148A6A74B89D3786D65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:05.237{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53990-false10.0.1.12-8000- 23542300x8000000000000000399400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:06.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F51C0221CB11BCADFC5494311FA7DD6,SHA256=ABC9C2BC6033688CE67FD473C1BB3DE5A4468241D32D8670ED1759C3A60D38EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:06.358{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BA95F6484C4C218B6BCAEB2CC5A331,SHA256=21C0B5915637CAB6177E9863F33FF70BAF012D2A29A430C565F52CB7498056F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:07.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9319E9A6939D11FB741BB1F44EFEF077,SHA256=492BC53668B1B3C2AD7364098F38328FDA58E0A0814A350A885E784ACFAB050E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:07.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6FC523558714C0E72CFABE4EB61F39,SHA256=1514D91E8E52815189C35869A149973344DC54AA5997253FBC7EEB7B97E86EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:08.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAA14EEFCB5600215BD1EC5EEF685B3,SHA256=10B33263256B529BA7029B317C48006402C41BFB3D00C3E86881E912240ED5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:08.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7B0E2432262B9EF1F9C66B00D02B54,SHA256=8A8CD224FD0B89068410906FB5B739AFF0187B3DCD26F895195FA70489B3D9B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:06.689{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:09.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7CE986FF9782715641F7F9D249DE11,SHA256=3636570BDA658BF3A002ECC5455CF95F0A742B9BB1A5619A82A7AD230DE4F68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:09.404{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF367FD2EF6ABBFD9423381E8ABD220,SHA256=18CEAEE74D2E5E0B09CE78327CA87D643DD85C80F36876504F5A5DD36214870B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:10.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56965C6393F8E8F7A2204DF3B58ED0F2,SHA256=608B3E2D87E251C8CA8C6F497F9024883E1421831CD57ECDC013A69A35F6040D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:10.422{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295F5646BB58BDB6FBC1406F7488F60E,SHA256=E61E9C9F2EDF05892D420E23DBB4843DC5F5C2868D75AC1ECDD645DD2020B56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:11.452{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0E07DE2C22B33D8A274A0C5D600D89,SHA256=79BEA107A4926BF1226767CA2193F3EB425DE0E6515C99796E9B6EC9472EB0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:11.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860C3066AB3617398CD42084A6D9009C,SHA256=D54B70B42A3859DAB8D1BAAA6A1B9FE4C972EB015CE6EF635440C05ED9D086B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:12.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F701AE51A1A617DDA97310250A9E00C,SHA256=03868EC69DF5F35D09EFD796C36B8B3D2ECD38351E1212AE29DAADFD0531B108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:12.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFB560FC6BDF598E85AB2F8335E011F,SHA256=0099A2A5653FFDA4BFCC5F9BCD4E226DDBC72F16A0B688950FD8DA868A334578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:13.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B375825CB5BCDC4380326D5A05A2D22,SHA256=C6E53708ACF15298A3603A1E053F1FEEC569FC84ED20E9C901726D44FA3E77B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:13.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA5B73E8A7878F22051778088D9BB65,SHA256=6182DD09ADB9FE26D205F4C7997848CEE1241A12E5687A21E7C3B553B3D47839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:14.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854E88B612B33936C7EE8BC7322456CC,SHA256=A2E58DFD73C96056A462D92D657D0B4FEC17DE8D03595B425B573538757F3580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:14.518{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC1A4F8FBD14506FC42CF760A3F24E9,SHA256=70E01414305F4F49F9D88BDC7700686E5270781F51056D70586846540C26C66E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:11.284{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53991-false10.0.1.12-8000- 23542300x80000000000000001454714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:15.548{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC2DDC17B2BA87D8E588BE5E5DFB54C,SHA256=00447D150D8917C670E04131FADACF58A85C521D076DB84BAE7CFC4D7DD447F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:12.447{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:15.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E100AC21CCCA8BD5AA2601D804B824,SHA256=412C97E4C0BE1DD7F4CDA3D1DCA0D362FED7F537ACE87CA2CF76D5585CA8036A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:16.562{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAC6D228552CDA31CADA13125F480AA,SHA256=408298EBB335D716CAC9F213F9E5D9B17400E6B11D02FA5F933CC62D357DD861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:16.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02C0E5DA6CACA4E2F9978E0B58F9C3F,SHA256=CBE9D3A00221BBE5A6EF1AE4FC1257BB130A45D91FEB77BF71B3F97EA2A0142A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:17.577{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F53C5D64EEDB59D619C97520F2A583,SHA256=8209028B34E645AE4063DA30394D4ED87A1B463659CE9C828198661C70152F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:17.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCAB5DFFA400766DDFBAA06E3B28C47,SHA256=6D4C4904DCF11BDDA2D704BA7BD7D7CE4BA7D202C5EAC8128FF6A09E7544A674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:18.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BE453DD8BD5C0C91268C137F96DBC3,SHA256=7A0A3E9B2773AFC31924495CB0667170F7828EFDA019154862D5F413F2420F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:18.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAF6B47A42B5DC4DA0000F58BE15E83,SHA256=11B18E3EB147F2FBF7932715DC140D323FB54391AE8DF54E92B20BE1C63936D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:16.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53992-false10.0.1.12-8000- 23542300x8000000000000000399416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:19.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F240AC337D1C0C0FE0E9849A0DF829,SHA256=DCF4CC82BD3295511CED9C33CDE77BED9F07C540F6729BC1089B710D8696F0B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:17.461{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:19.611{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79411D441712E0F7D87A574EC7088A28,SHA256=3DF2898B34CFC84C95FC031160B613A93103B873E2D6D764F0A47738328F87AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:20.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDF83E6BEAA5EDF30936DC1360EFE6C,SHA256=2A5C586391643BE7C2DF530A4A488C0E3C39FFA80F54B4FBF7F93EF9114576B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:20.626{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BC7DE68FC81DCC71785003F1841F1B,SHA256=53E31654A9C3C93AD21907DF168741E52EF5925582E0B493DB9A175E142CBA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:21.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D6C1A33C3F366E8D9918C790A1C5D2,SHA256=BA8A99E277FD5A3F79ED4D6930F87CA58FC3F050720DF9F3FE034C9A516AB2E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:21.641{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD03304E1CB89518A9A1E540EF577C4E,SHA256=F19C0D1C6E0EEDCBEC157BF2A5750983FDFE936715EC8621C2645E2F48FE1695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:22.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6B33E301178EBB9AD0BB8692D0542B,SHA256=A9004DA4EC76402A04602B1E3F526D22D381C969559CFE82F173935A8FD063EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:22.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945D6C00F333CF77AE6E8D0D93258BB6,SHA256=C0B7E8A73319DA5A73C4AB2E0CFBFAC9261C01E8B610B54AF7C549DC7F5C874C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:23.672{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE68510D473BF641CC9670EE3D5F453,SHA256=410CCF1ECE0BD3F6EEB93616738A026DC4E65E24BF0B743C43ABBD01D9AD9848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:23.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50F17B5D1B7B0E08412A1E5FDCFFA80,SHA256=A302EE58D7669C3677F34BFD1BD94DB7A7F9ED244FD0B58C2CD7CE6444ED5F4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:22.378{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53993-false10.0.1.12-8000- 23542300x8000000000000000399422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:24.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003AA594D655EC37D2F370F5FF4A7E5A,SHA256=475236A86B7C447BCA4FBD0422A5E633C721CD4FCA4B55F1F9C75773A79B3017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:24.689{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A28B07F61877235AEC9D732F27DE65,SHA256=D772DC562892D469BA3A9B3C48C57EEEB7DB25B21D18B90259BBF7A87D19F5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:25.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA853773A7EAC7BE0CB03FDA67095A4,SHA256=733EE4C9F732C5D3A2C6E5C40713439675812ACE7B8C11F4543A545E9F0FD2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:25.708{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1A467650FA92B5019D58EEC82B2002,SHA256=92B58F193F5D111C7F5FBB3771B77735765E893E243CC15D098EDFA93C63ACF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:23.487{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:26.723{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27693B434BB518318CAE56F17AC88FD8,SHA256=F8430A0910C67280E5D0ED97D8A6E0430DA8824AC1EA9947D7A7369DA626CA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:26.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F3C1BB46BD3A0C1D4D712661BCFBE,SHA256=690A98E81621F7621E6D18DF5725D4AD3F59E20A1AEA05ECBCE81CBE7B12EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:26.373{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B85D8EF546B51EAE372E725CA4151723,SHA256=74E2438834CC8689D289DE96E83644C66E431B6FCE48BFF6785633BA2FD5492A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:27.738{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0E112A59B846EAE111F55625FAED7D,SHA256=292DFC12439A998ED0DBD4C9B31A2ECEF361F291AD32E044036D5FA4F2E7899A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000399436Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000399435Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0152dcd7) 13241300x8000000000000000399434Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0x3bf8e06d) 13241300x8000000000000000399433Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a2-0x9dbd486d) 13241300x8000000000000000399432Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0xff81b06d) 13241300x8000000000000000399431Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000399430Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0152dcd7) 13241300x8000000000000000399429Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0x3bf8e06d) 13241300x8000000000000000399428Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a2-0x9dbd486d) 13241300x8000000000000000399427Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0xff81b06d) 23542300x8000000000000000399426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:27.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979CA027813078069FD1E9B98B9B7793,SHA256=C22B585A184E12B5C5741F1F89F38EB4A9B0DACC4C0D95D9AAB190CC1D271E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:28.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC48E7F58AA41EFF64D66F98171ECE9,SHA256=9031B8C6F2E6778415854F775CD997495C8F524B4C9AE9DABFEEC643D119B7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:28.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78292B2DD4D5D2A7DFD17A78786EF90,SHA256=1FDEF32A4FDF5202EFE656B992CE09CFE563740ED47764F7322495E679BDDD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:29.812{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803C6260FAE2D5A04C687373C6555D1F,SHA256=1B570AF4BF30CA5CCBD4C9329AB7EBAD036A411F34B8C6FA211E367EA620DD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:29.812{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A469120BA9AED0B794CD54F6CCCDFC87,SHA256=8ADC99FF45FB4002DBA01847BE1BFDC5CAEFC7DD3B24AE6E1C383A1633FA77CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:29.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6EC42E21573A234A6B37FE6DAAFC39,SHA256=F26CD3D73AA8D861EB706A692ACD605A97FE0EEC01DB8575A09DAF71BBAD80BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:29.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360E0F3141BE3884C500B3FB32A6FDE7,SHA256=BB57AD0F6C5B64DD7A228FEBACA7E3E2D900ED98019207027E4B8C47CFDBEA45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:29.637{D694AEB8-B3E8-60E2-0B00-00000000D301}6562652C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001454738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.805{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96196874C77A93F966D31C901E5CA58F,SHA256=FBB5965E17C8AA9B7768CC173107CFF64ABA92F927F2E82B04B23C570452E2E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:29.085{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61001-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001454736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:29.085{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61001-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001454735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:28.698{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000399443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:28.773{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-65432-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000399442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:28.363{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53994-false10.0.1.12-8000- 23542300x8000000000000000399441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:30.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841975C8D9DDD0C04891FFA6D81FC192,SHA256=06063CE9A2C125F38FABDEA92BFCED73B4F520EF7EB25E5BCBD49661DD5A64E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.652{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.652{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=564DE44A5C1EA167F227AB60281F1960,SHA256=D3D4FD64C162F01A35DE76CCF807EA261D4450AD26FCD9796661CE3BFCA714CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.652{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF7DB64D7451FDD6E68AF7CCC577E797,SHA256=695634878896C1C3333BCEDDB0CA8747DD16BC771AB13A6289653A10ECF2FB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:31.835{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA10A9B56962062676C48AE876D92441,SHA256=AD2697D6E73539860FCABE81D1543DDA017ADB1E552FDCE2CFD221F8A774E964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:31.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77ED91EF6C5B7154059B5D4E7E741CC6,SHA256=2E83D72594ADF5519DFD24503C3DEDF0D746755AB9389CDA6F411D06B1556C49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:31.467{D694AEB8-B3EA-60E2-1600-00000000D301}12964484C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:31.467{D694AEB8-B3EA-60E2-1600-00000000D301}12964484C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:31.328{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.084{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001454742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:32.835{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A133DE8EF277414936A5F06D0A4DC88F,SHA256=ACAC610A98F1ABB1409A8D0EE20F43C520CF9B2FF0CB2FF8075FD97461CA7139,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:31.520{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53995-false10.0.1.12-8089- 23542300x8000000000000000399446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:32.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685A33BE89961916310B6B074BBEB091,SHA256=8FB371C5C919A7C48925BCD3AD84985F88777C5D08BFD49EFD780F519F702981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:33.850{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4093A6472EA82904848D210D30FF73A4,SHA256=AE776E32EB83FB5E9163AE6886B9AE62A96E3384EC32E2D9226494AF0DAAC003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:33.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0625BD7A4AF5BD570F93A69795B18D74,SHA256=DCE22E7B97E9F0306C6B95E14FDD63CCF3F913CFAF855CC1E10B9E551F1253B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:34.882{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBD8CD3DA6DEF7B6AD15D2560DEA251,SHA256=6EE8ABFB3FBCA36E3388DC41063C6D310F85AEF6918B9BAFC672D005D682C7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B809109AAA2E106DAF24973E92B8593,SHA256=BD089D4A29C3102D56F9AA2AB4F9DD8DC9CE35B4B802121A13D42A13FA62E2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:34.003{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=41D7F7227272685E56A46165E4A835C2,SHA256=F66EE7AB3A1F328A7B1B1BCC003D1EEAEB9B83EC68ACA00F56729A28EF7F2A6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AA6-60E3-B50A-00000000D401}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AA6-60E3-B50A-00000000D401}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AA6-60E3-B50A-00000000D401}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.657{7F1C7D0B-0AA6-60E3-B50A-00000000D401}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DCFA6657AD72C39EB53B6D58AF03D2,SHA256=2068AD0CB8C2E8FF7264930E9B15AEE72861A66165F67A5351EAC19D3C5E8EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803C6260FAE2D5A04C687373C6555D1F,SHA256=1B570AF4BF30CA5CCBD4C9329AB7EBAD036A411F34B8C6FA211E367EA620DD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:35.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0162870643079FCCEB4E5DC9106EE296,SHA256=934B7D999C93EFB0ED1071812CA7240A80DFBAB272CEAE627E72ACAB7CC3F74D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AA7-60E3-B70A-00000000D401}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AA7-60E3-B70A-00000000D401}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AA7-60E3-B70A-00000000D401}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.827{7F1C7D0B-0AA7-60E3-B70A-00000000D401}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.343{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.157{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:36.946{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B621C6F20D6A9E04B01992BF5B750D7,SHA256=4E8FCECEEC606F2640254A6B0E09BB6E7FAD31678B556C0F3A3B808BDCE66333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:36.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7C45D5BA5B1A6A3A170DEBBF8FBF47,SHA256=947759667391AFD6342248B5AF4B14FA7A25C411B54276850D0751C5FC241226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:37.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C88C061DAEB46E418E024DA8E93E8C,SHA256=B6AE4A158FCF9F4CC1072411D470874EDFB19F65782EBE9B22995BC377A9D187,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:34.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000399494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.317{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53996-false10.0.1.12-8000- 23542300x8000000000000000399493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:37.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A6642E352DF759EAFD293DB35FB2F6,SHA256=03540826196EEDC77691079AC3644B2221DC1ED23567C5F4F546FE363609D7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:38.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE343F12104F7FDC47847F5185FB5E7,SHA256=929E859939D378AE47F76DD98E356FDEC56E933334A4DD78DBCFBEFC7A5F11C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.828{7F1C7D0B-0AAB-60E3-B90A-00000000D401}33403824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AAB-60E3-B90A-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0AAB-60E3-B90A-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AAB-60E3-B90A-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.626{7F1C7D0B-0AAB-60E3-B90A-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.359{7F1C7D0B-0AAB-60E3-B80A-00000000D401}32242876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AAB-60E3-B80A-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0AAB-60E3-B80A-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AAB-60E3-B80A-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-0AAB-60E3-B80A-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777CACCC84546FB7554F405177123529,SHA256=3261DB516DEF1994256A596998BA9255469B33616E03ADA24CD7EB08D21AE4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:39.013{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043C28660691BA7376303B67C837318B,SHA256=68842E8F99ECBDD05D26AA4F5B36AF6100FAEAD9D5A6064EFC254202E2660FBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AAC-60E3-BB0A-00000000D401}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0AAC-60E3-BB0A-00000000D401}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AAC-60E3-BB0A-00000000D401}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.626{7F1C7D0B-0AAC-60E3-BB0A-00000000D401}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.359{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}10082484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B5FC30125619AD0F6E71B3E0D925E3,SHA256=293FC24678DB519AD01302F900B73E12A09D90447A4BE2AB984E0FED501863AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DCFA6657AD72C39EB53B6D58AF03D2,SHA256=2068AD0CB8C2E8FF7264930E9B15AEE72861A66165F67A5351EAC19D3C5E8EC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.126{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:40.028{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A948F5665FE348991E99A96D5A0E01,SHA256=4DC66A51F599BB4BB9DCB5A9731514198155AE777EF8E43F83A632A5ECDBD595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:41.718{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099B8957F9C9CBB86EAF121C7B290132,SHA256=E9F20E760A2989663E59519A3F23B53227D2F542491F49FF32384894918C600B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:41.500{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D7C5B3FE619DD87EABBB44843A0BDA,SHA256=9EB77494DC4E19DDDA6F377FCD913B2156C583AEAA903D1D72F72D8670D32148,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.301{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53997-false10.0.1.12-8000- 23542300x80000000000000001454755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:41.411{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0ED68B14D32A4D041F0B1656FF2B16,SHA256=7F4C216ABF3A1115582CF64280660843E5D8A58F8B7384F514C19F629B2F0250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:41.411{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=564DE44A5C1EA167F227AB60281F1960,SHA256=D3D4FD64C162F01A35DE76CCF807EA261D4450AD26FCD9796661CE3BFCA714CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:41.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2F9BE008723F338172EA61A35F6299,SHA256=4EAA7D69708D25E595C4716AA1F8E0ABC62EC0DF29ADF4CFD6A7F80F9549DDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:42.562{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C056881FB7E98831DBA512BE83932A,SHA256=9BDD961BD18FACCC71C27BDC1B1068AA80CA5D6A1F2A44C8D6FED7C03C6E8B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:40.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:42.079{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AC7ED44A7D8F79FC76B1BE0DB7796D,SHA256=DD73136B0E3FFCBB4DC885146F8E6E4578BE0E834F70E49E4123B380C0403100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:43.593{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59304D786CBDF6B13CA7DF989E00E2F,SHA256=94BBB1817BA2111425A5DCBABBE95B53E71FDD93525F8111D381AD80893CD60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:43.093{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EB5F78B51A71D2C73B184C3D72D6C1,SHA256=191DB61035B0430C9C216473B002BFCC625CBE2DFCE77FD787619E9CB5C71B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:44.781{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C7599F171CA7443697FBE1CB1B55D2,SHA256=07A8AB72EF9FEC55FCBDCED9C55667A47BC653338D0EB11670BF59454A075877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:44.123{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D01164AE59B3F2C105977C6B8C117F2,SHA256=73A681CB7FAA4D5362D5F91C186E381EE7F28CB53296342B9E7AFA35C14A9E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:45.828{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58919F8C71903019B5CCBEA4BCE39A4,SHA256=C1BFDA10F95B7CDBB994C8D32C7D0CBEE27FCA93D2718714B32396D1DD1286ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:45.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536AE207FE1767E3F9CAABEDCECBBB22,SHA256=8964E44807CC2D4009FCB845BBD7514E557FBCF30DB297E986DB69B1709B47E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:46.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C372487A1D7E165B3AD9A72B69DB0CD,SHA256=C8F141A23EB272B052B15B6F2A046FDDE569A4D5E719E5BAAC668175C1C3AC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:46.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB969CCCD009BB29066A06DF0CDE691,SHA256=F2946A4C8E7447FFEE8C43C4D695E8D2F1F9743C0595BD4CD29A2A7D24982CCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:45.317{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53998-false10.0.1.12-8000- 23542300x8000000000000000399563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:47.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FE9FB83DC4F6D30D2E52A024488FDB,SHA256=D10E2B90F3B5AAFA1EACBAC799C75DCA1E8132C818B3E50ADD3662CF8200323F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:47.169{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3453390B83F15DAA79DCF1AEBDF3F5,SHA256=ACA02FF308EB70BF848C809F10C5C4E4684160E8B696B66766C06000706746F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:48.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3A048C9249DAAE6E973D227334EEC0,SHA256=FD582894D9AE93783C7415EC29AE2FFF93606C53BAC4AC2F1FFADAE6D9812F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:48.188{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CFEB63FA2CFB477FD723CBE299F8C5,SHA256=2223A89300AFC12C03222E9AE431BE2AE728268C6B7025CF4899AE9F582708A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:49.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EAC155C0776C115F10F7A17EFE862F,SHA256=5D1395A38A3D428EBEF73332744D8D988ADA3D231CE95F3F5921331FFCC77CFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:46.636{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:49.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C044BD2F78BB160CA139F957AFCA1244,SHA256=300F00495E88ED61D47AC5E11894D6D2DC7BC7588439D42409F000B9D5DDE4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:50.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5319DA847E2D501A8234A180A5328B0,SHA256=F49AF629E3A414C277A9F67367E57D6A36B5E72D1A24AA9219154A4808F5038F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:50.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0C8C9AA260641830AA61E8446205D5,SHA256=3ADFB6E1B4C43A1F3C8E77AB08A4F1ABA084EC1B1575FA1671D7FF39BC5F97E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:51.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE86D804172A0649C9AB68ADC026045,SHA256=10D2AF2FDF221BF5478B55E330F6F66FB76CD284521461F53D75AAD2E6E3768E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:51.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F710E9547EEF188F840730194CC9BA,SHA256=7E5115D4F6D7140E3771E37813BB735FFF6BC2C366C11672D0A929FB3583D083,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:51.285{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53999-false10.0.1.12-8000- 23542300x8000000000000000399568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:52.844{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD599F06628A128668D579A472296400,SHA256=4CCC687DF2F21B545F0C993C44A658CD1EB9ED7ED23391FB3B9E6BF89560F297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:52.233{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367DD7A1499686828C36F61226E31665,SHA256=14416C8E24EACBD376E53A4BE4190BC3D07693C5B660B75455B06B9BE7CF7E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:53.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAC6144753336FE1F3A2A0C17F03936,SHA256=E38DF35B90E7F1BA5FDBEFDCB409E75068640012ECEEFEAA8CC4927B6D0EF560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:53.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F4F4B6E952724764DDEB1B86D647DC,SHA256=BAA94636CA604D0A63212D23B228AB4035469184F0929C0DC8CA72A63B5ABC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:54.264{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23C8082AC6D661C9E1DB5FDB9F4DEAC,SHA256=E792070B5E69A1C07EC490F5DC4D15179EB4C490A50F5A73A1C06318F1D96C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:52.663{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:55.282{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3684B8090366CC465826E8672BCFE12B,SHA256=F6F2A38720B0C76B3F17FEEF426D048A67CF9D562F1CA0AF318123C56492BACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:55.140{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D72EE8F233371CAAF36218D8F0D9E78,SHA256=362401E4BA62DC845011A4DE9EFA9A36F66148EDBE27C3B54C82FF86D434A8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:56.203{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D19494FF2B45DCE90A04D3CECDB22A5,SHA256=A1BF7FF8490F98D9D9637307567A3537B48BD1DAB9CB21F575930E9AC063F4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:56.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A2084880DABA0FC0ABA434CDAD7981,SHA256=0EF0E2A3F848A49FA2C67B80FB13DD868064E772A19E816A5945B8FC11FBED03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:57.265{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFC2B4BCD572288F31DF9880B6A789A,SHA256=80BEB9ECB0B5F6663E8BF25D6AD1FC9BABA8DDBF3BCAC59BFBB321FE0B854F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:57.311{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015B902EE91F3A3E0A15F9E68883683E,SHA256=E8E0CAD2DC656FAE06FCF05419D429B3FCF45E8E3449A27DA27BB169C99C7AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:58.375{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955F9D53BE6B4141958BC0D5C9F56D82,SHA256=1F7CE78D4352294065CB2DB357D6A3A0BBF2C4BC3B97DD1106327BD763EA944D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0ABE-60E3-4D0B-00000000D301}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0ABE-60E3-4D0B-00000000D301}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.995{D694AEB8-0ABE-60E3-4D0B-00000000D301}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.326{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB2DB00B07D97FF2FCB4AA40593ACFC,SHA256=DA70E2500EE90FCB1DBDE25C90CBC9814B954589D0BDB1AB1873B1B586878A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:59.375{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0DC5CA4F9F92840649F83FD57A3D19,SHA256=42F8E242275418D7CE9A768D742D0F7BD05A35668443EA3F9A8A05371FACEF46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0ABF-60E3-4E0B-00000000D301}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0ABF-60E3-4E0B-00000000D301}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0ABF-60E3-4E0B-00000000D301}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.580{D694AEB8-0ABF-60E3-4E0B-00000000D301}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.361{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC6C04BB1534024F84BD511523A6D89,SHA256=73274A17337BA2779CBCDB5DD86F7FD22FD72483ED2C621EB2533111152B0B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:57.254{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54000-false10.0.1.12-8000- 10341000x80000000000000001454783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0ABE-60E3-4D0B-00000000D301}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:00.468{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490F1073DC901801713778F9CFFB1B5C,SHA256=56813AFD719C63969EBBA6C9DF23E84F067886D8A717FA1523309A225C35F3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2178E6EC54D42EDE1A601EDB827D3FF4,SHA256=A3C57B006968D3AFBD3D6A87F9BE41B8B206EFAF52B4A093D4167384588FCABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.325{D694AEB8-0AC0-60E3-4F0B-00000000D301}47082848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001454803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.672{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001454802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC0-60E3-4F0B-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AC0-60E3-4F0B-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC0-60E3-4F0B-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.180{D694AEB8-0AC0-60E3-4F0B-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBB28CEB88602FE82283917EDD95E45,SHA256=543349C6C1060A39479943E042714A51222182D6E153EC30BEFCEA04F65C1EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0ED68B14D32A4D041F0B1656FF2B16,SHA256=7F4C216ABF3A1115582CF64280660843E5D8A58F8B7384F514C19F629B2F0250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:01.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1B2006BFE03BF8AEE8954349F02E5E,SHA256=02C34DD7F3651B4D4EE8A64C7C092C5536E28C8DCA519F2278EC61DAE9EFAE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:01.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBC1095210C771640CDB430F6F6179B,SHA256=9B58CB7C0116FAAEF5F3BEA12EF788B8FB3F45FD93D378EC48D91E0DBAE0A84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:01.193{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBB28CEB88602FE82283917EDD95E45,SHA256=543349C6C1060A39479943E042714A51222182D6E153EC30BEFCEA04F65C1EA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.958{D694AEB8-0AC2-60E3-500B-00000000D301}54845284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC2-60E3-500B-00000000D301}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0AC2-60E3-500B-00000000D301}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC2-60E3-500B-00000000D301}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.807{D694AEB8-0AC2-60E3-500B-00000000D301}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.438{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DF062DA74746058B024BD2D2E61E36,SHA256=1641D0F60E1108688DDC60EF838EBACFF94BEE7CF0EEDF8E33C68AD0DB1DBE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:02.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF90EF11143F87A65B009221BF5FCAE,SHA256=23CC955889EB18D60A6DE813A36CEEC3EAEFF06F8B8835F9EB8C7183ECC5B596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:03.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60205998FA05A18A72BC57E9911F1D12,SHA256=840650DC30BA15FFB28C6C0514F241F6E297060D0F0B42BA361E4007B71652B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.856{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55073A09D514883699B42188895A8AF6,SHA256=37ADDD65B188D786612E0D56E189156710B42A44EF72EF264E9D4FD13FF06BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.621{D694AEB8-0AC3-60E3-510B-00000000D301}62566380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC3-60E3-510B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AC3-60E3-510B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC3-60E3-510B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.475{D694AEB8-0AC3-60E3-510B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.458{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D868FFD763925AD9CD07045359D5AFB4,SHA256=A3767BF1D6F50D377FF578A7542594E563312E11DA0A6B0E9E735CECF8C79140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:04.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E79E8E0983FE0EA64A4CA367DE88F28,SHA256=D3D029D4F71F04B818D1A4BEF83273F4C75EC969E7A767D96EA91692CE1D8F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.988{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CB712294A17C2ABD11D5B9B97ADFCE0,SHA256=CBA9370F7B7A72109006F7FF112F952EF6301EE5D131E7224878078B801F90BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.972{D694AEB8-0AC4-60E3-530B-00000000D301}5448108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC4-60E3-530B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AC4-60E3-530B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC4-60E3-530B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.821{D694AEB8-0AC4-60E3-530B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCBA1E382706D61A0AC2BE26E9B2DF4,SHA256=8324E78510A90A761CD397C1A0B1C6EB773734F8C2AA43BDAD41ADC2F2BB9904,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:02.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54001-false10.0.1.12-8000- 10341000x80000000000000001454836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC4-60E3-520B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0AC4-60E3-520B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC4-60E3-520B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.137{D694AEB8-0AC4-60E3-520B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:05.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE37A4355CCE210FBE202A4812CA1E8C,SHA256=C3A38F6F14F4172C9B8BB851691F9889CACF589E3D5FA8629C3AC03DACB58575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:05.503{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212531DF7E751172E430ED8CA761F601,SHA256=A57F6BD4D874DF9EC1D37019BE8B4787DFAEF353E90062CBB5C0D7EDE39CCB98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.399{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61008-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.399{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61008-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.666{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:06.518{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307E5A2E5759D5F2E4525FEB12090634,SHA256=ED73774AE1AE414F6C5B2436141C2BA746D5534438C78ECDF8C3FFD4EAE9FB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:06.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD990657E6A04E2975F4A9867081C2A,SHA256=9E58BC6DB410935E2D78CCECC9745BD926ED31A6DD12B28E7EB3520D9C8E6A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:07.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228476AB7C59F3E0A4DC199208EFF11D,SHA256=E13D054CECA4142CFA2D449DD36151F577C843C0A0EF3B0EAD1D4331873A582D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:07.554{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9DDAFE020D9C3E1C9FDA8FBFD96E45,SHA256=EC34205F8F9446BF07FB1D665B7DF3603FAFC69BAF662B1644AB93AEC39B356C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:08.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25487BB50FD27765789FCB5B671F195,SHA256=B5C9BF830171EC8ED7181BA4433A7E1685F6838B4A4D723F3C05A2FC66CE77CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:08.569{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5733E17831B497C6E2D649E7CA6177A,SHA256=2CE3CD4BC1EF3B661B27EBF39BC6582A48BBBDB73F5AFA49FEBA2F7BBABB79A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:09.583{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C4C2B3504F5247D99F0C76213407EB,SHA256=14A1CE8B23F1417C47067B808F9D8CF44C05B53D4310AD2B09D3D01318D947C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:09.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC8321AC6D78B5646FA2B5838D7C4EA,SHA256=5EBB98285BAD0C1B1BF8A33210854A5368A6732A23EFD4891FA265F5DA0AED76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:08.208{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54002-false10.0.1.12-8000- 23542300x80000000000000001454856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:10.598{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390764E510BA1905518E4B76F52003FD,SHA256=5F0E9591F2FD00F5EA25984C4F52BA1DC473AAA9C52522A7BB76DCC5952B02A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:10.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06634F760EF413CD51DFC2AACFF21E0E,SHA256=61909DABF20048D32FA1CD4668F379334219572228A60171EFD1339519CB1A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:11.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BF87A6D69790FF4CCB2F9FE367BB31,SHA256=2FE1EBAE316CFF52DDC48B3296FBD53F7E9242427C443474D17F6D894A9EA4B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:12.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711B39DC6F12D3443B4BFB3F4916D005,SHA256=27CC900A1C801616F39E2C328263C6DA5D9A65A21CF44E813A64C2D610DEEBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:12.027{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2527955E170F12A85293F66DA3B6E9,SHA256=A9E9C5036BB2B3FE2AE82BF56F9BAA7F798DA750B7EAE375815F590D7FA6A3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:13.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93FDE06DE3894551DAC9B40ED23125B,SHA256=A96D78197089D7E7EEF19C31EACA44FE084568EBCB0607B5D5E01C789F0CF5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:10.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:13.043{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D158037087B4C69DB91FAC0F420FA04,SHA256=5F6D9F565F48C0DA94738DDB6E0E64E29E4DB0A894E89820760C27EC10A42673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:14.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84804240ABED77EB0CEEDCB03ED28C1,SHA256=515907C542ED52FD9BE6DDECD661E5ACD04B7B05D98C7767767DF1994D991CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:14.062{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77164B9C6C050CD2B8236121BEC505C,SHA256=F35B9674C113C53D840DFFF37231EDA2090D674E7F1288A95F8802971661A3ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:13.395{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54003-false10.0.1.12-8000- 23542300x8000000000000000399595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:15.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFE0320B884965C6FEE4C4408D869DE,SHA256=E0E4CAAE57B26706BF4013B5813A4BB4CD4531C0E7B3E59BC81C6CFDB27CC95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:15.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E94F785E8AFA7B463D73B0D2E686E37,SHA256=5DD694EC6AACA295D2C935F3439D15D16AE819B69187B893F9E6F34A04EA9989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:16.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DDCE3030D8B09786110D7D1480DAE0,SHA256=EB66CC611559099199B102E363F9F8927B0742DFA21707AF7508613DD4B7B521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:16.091{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306EC63022492ED30F1CFA178193947A,SHA256=89030E31C2E9A6897B30A333CC9B7D40D318B86AA5E450A5D11B000AE9897630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:17.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96238478165CE08EEBAC70D7B004A7D,SHA256=D7E546E57A0932AC557B212B5FD48F95452A8E02C1D1C3334DC3C7CBE3F767A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:17.105{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2525800DBB90D98E49A30270D1C719,SHA256=4BB9B2363369EE2B1C31A0D020A8EB2AB0ADB8CAC14B7A566BD039D16A06291F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:18.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036293D347DA9B94C480A625DE0D64D7,SHA256=E25130249388F4F84807308557ACDD97C64C938AA8C8E33870660B3773704206,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:16.483{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:18.120{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD63F41964F4435AA1C8A31FBF7E0DD0,SHA256=269A0B25635E9A659C29ACEEC5D3E5765A833BC9447B3604856F635B0299017A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:19.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0C1233C406131FB30F37A966EE6417,SHA256=7FEECFCE627957DE6416EC1B32728A9FF0EED99EC07D52B9EB6C0CAD53F44970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:19.137{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD311759000D0A939344D6B41693296,SHA256=A3BDED4999FADC345352161C8232019D5381AE48F6D0C003E62F0D73F3284F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:19.364{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54004-false10.0.1.12-8000- 23542300x8000000000000000399600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:20.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25261E97E5CEF21CAE9D9E41713DC44A,SHA256=0C06681958BE591F0AA126CBE20CB9CDD655D69432C4408A6D7315C11B8D6349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.170{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC7684EFAA4205991F81C221741D10D,SHA256=0E177EA626BA48E2F0EE2D624FC27C7B48E682FB4D339F0D2ED8FC4B54BF29AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:21.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F1538F9EBBE8248C5D3B93FC07F1FB,SHA256=A60758ADEA19CD3F3454078CD72B44428A088B6B8D3D53B8283BD0AC3134DEE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:21.600{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001454897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:21.185{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0024ED2676E400641FD9C392188637E,SHA256=3D11D694606279DC781D4EB71F125DEC1EB4B891EAA326A019984A7357E6F0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:22.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6312574EE6AB5ECAB69B2AE98046B2,SHA256=EC291C3D65CBFFEA120C89ED31E2921692E020AC168ABA4BB9452D3E6DB65CFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:21.051{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61014-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001454906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:21.051{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61014-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001454905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.942{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local61013-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001454904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.942{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61013-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001454903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.935{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61012-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001454902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.935{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61012-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001454901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1898095EE69227B07C56C1C576249928,SHA256=A0E7A53CE8734A2C8207B2963CAF8C9FF154E6339F29161C40E47D0379D263EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAE562CD182137D0A50B8FBEA7DB4288,SHA256=D80E735C285B6254922CA6F29458E28241E1A23AEE97985CE4C4D057839D6EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.199{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C5F52942B271B4538F0302F685FD07,SHA256=1F9165A6C16143B58F22EA096615005751D6796771C9095EC8E215841F827520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:23.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D674B5D7F5ECE6B8F6777D8C733A66,SHA256=BDF8D545525DF2FA7E345C1C2CDBC5C4386E3618C235DC32BFD95B66683CF689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:23.214{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E5A90A75D706323C7A61444913CF49,SHA256=89F85D12A5A881839E6178573EA89AF4AF244046D2F248034C64A4C1302F2C87,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001454910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:36:23.052{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001454909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:36:23.036{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001454908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:36:23.036{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x8000000000000000399605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:24.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4F059C3CC3399104FD037A19DB81F8,SHA256=C0784D928E49D21AAB0E77803CF30C0B898F32288016040797A8119FBDD30DB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.499{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61016-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001454916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.499{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61016-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001454915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.478{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61015-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001454914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.478{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61015-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001454913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:24.231{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083AA6B1828F505A7EF9F78631D51755,SHA256=8F9BAAAF93879077949313E95AE7F9D80E3642C124112320C4C60E21F7F822A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:24.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1898095EE69227B07C56C1C576249928,SHA256=A0E7A53CE8734A2C8207B2963CAF8C9FF154E6339F29161C40E47D0379D263EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:25.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E61BFE9EC9D4659F7C73E041AEC3821,SHA256=F954CF5DA469F8EEBDD95B6C3D87D5EEFEF01E1623DA7B703CA80EF9E2A5647C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:25.249{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C9CD24AAFECECFA5B25B6CB9D86F43,SHA256=9A58336D5C184D8A73771C38A9788704F69DB688F569C4F27E5332F6D2987DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:26.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4118C698F10BA92C862FB46A4EDDEB91,SHA256=E6E8959F8BEEDB21CB37955631DB054030716FD2A40D84BA8D5CDF7CE751CF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:26.295{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A39DBA00B3701353DE1591FF100A6,SHA256=1774DA6860EFF03172280A1DE456C6550F637EB6BC74F007657DAEC4FF70EFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:26.375{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D3F7AE9AE4549841519686D40B2373BE,SHA256=AB10878C051B56DE31A35F8EA72466640EB2BC420319D7983A26B2AA2391C12F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.514{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001454920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.509{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61017-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001454919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.509{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61017-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x8000000000000000399610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:25.334{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54005-false10.0.1.12-8000- 23542300x8000000000000000399609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:27.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B60DE0ABCEF5544B40741682B922E9C,SHA256=1BDD988ED748BFE8E186FEC6EC5D55B0D2610161951DF794722385621D441C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:27.310{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D8AC7DB7C0DE48CDC9EBC326C2A025,SHA256=F314C397863BA3137C57944238BECE84C065AC6700779E05524CFF87BFE82BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:28.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BAAF8D851AEBA681071A950B1792A7C,SHA256=F1FC286E13C8BD48A851B0275D3FFBBF130FB83F32CA214E0EC0E3EA1E918ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:28.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B8E8DF60C86014C1FC4EFC021F2997,SHA256=9D301209495B55A1D9666D35A95E28806FC5B6E48A96EDC7AD3FAEDFED779042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:29.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF4BE9237C92A5D6E53AD403F68FF41,SHA256=17B1AA263907FD43332EFE2B459958BF8AD3F28FC94FD85B45A6C1071C0AF359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:29.361{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1CB5C3D8E1AFE29D25673444AFB9CF,SHA256=7724A75DA3CCDA191ABC1CBB6DE77B84E86CC389D7509A5B2AB9D4125178E1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:30.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C346F886A1C2DCE61ACCF03460D0468B,SHA256=6066F54FC57F20DB3F8BE3AEDDC43BD5DE32A826080982D7667E2545677427FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:28.554{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:30.675{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:30.375{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE077A3D431FCEED69C4782181738D5,SHA256=1A72333380481E463A981FA0035CF5F219481A7AD0F432F0CA74145E8E1491C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:30.484{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFEFEA3D42E0FCAAEF9CC35D7540F69,SHA256=4FAE8D226D05950F1CD24A4A4BDC631413C42A5A07DC5814C8E6EED8AA60DB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:30.484{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D9A8CD45CFA153A158ABF9EBA27D70,SHA256=D8CEB91ED012C4E051880391CDCC991361A09DEE3E501EE03AEBFAD3B604CB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:31.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD03AE5F8CDEA1DD90E94930DE99802,SHA256=6ED7D3B3928ED7DA94F8E189F80BB554A35EEFA9F4863E7CE27849606C896A18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:30.106{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001454929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:31.390{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51C6A7257A47D9E6B79D5E92CBDFC5E,SHA256=AC29BC91FD3CC28E1A86C0AEAA417D3DFC4C7238DEAB3C746D80E2BF37F03837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:31.343{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:28.899{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-50275-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000399619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:32.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132A0072F85412EF2AB3373B0BB0F370,SHA256=210BDFF836A765B55AD9B00E6B7269670FE432DEB7BC18073AE45497ECEC4BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:32.404{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321E834521A71DAB12378C65AD41BB0A,SHA256=39CE3F6943D3E5A8590E8140EE711A4791BF1BE8A1F5A50A91F92F437014DC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:33.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2B4357A70340B6EACF95F66293356E,SHA256=CF2CD9D89F99C6BA9F804EB34A6D719A207B5AEEF74C92D088E31579300E5846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:33.423{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D58B6864C02198A40DF80CFED511B69,SHA256=5B5D184A81ACA548A9CE2CFA283540EFEE4872C7C24B4C9629B6C940A9894424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:31.536{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54007-false10.0.1.12-8089- 354300x8000000000000000399620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:31.318{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54006-false10.0.1.12-8000- 23542300x80000000000000001454933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:33.387{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F19BEC427F784A3D908F847AB9507D2,SHA256=A14A0A79C649F3407C96D573114C0F5EB17540C6D2CF2B5CD037419D86C8164B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:33.387{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B70F23E71A0AFE5B06CF0B5F91CAC8CD,SHA256=9742EC3C7D75C73B49BC8BF3B9949B636A76194D205B75275737EF5AAA0DBBFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.812{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}34801556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F96C9335404747D16D5AAE8CD699A6,SHA256=9EF715A5334A6DD6B7C13641D9DEAFE974812988225E5642219F57B12F45369D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:34.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54FE0B47B1ED53F42DC2E6BA102C424,SHA256=A2A8B4E56D6973A20046E2B99A81D656ED4B7D5D91BCFE3481C77A3453F77FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:34.018{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=59D70B87748D61508BBE554205E7AA15,SHA256=07E5FBDB7BED12A783D2598B35345B4CFFFE8E2792CF9F798117033F02CEBBB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:35.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEF4C0C6E495200A8A47C67A4994E1D,SHA256=2D2056E15EEB118EEEDB514BDC688CAFD580AC9F9714D27EFAE73AD9BF8234A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.782{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E165EC45F52C2B155C18D497C1819895,SHA256=F90A7CBA062408E01540EDA55254EC17290D1FBBDD17DC5C9EF5BFA43F7C6269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.782{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFEFEA3D42E0FCAAEF9CC35D7540F69,SHA256=4FAE8D226D05950F1CD24A4A4BDC631413C42A5A07DC5814C8E6EED8AA60DB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4C46D5220A6171F8323F83DFEDBF8F,SHA256=BAACA32C189172249D1F1F9B000688E07156C30A12F6AE722134D35D846F3889,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE3-60E3-BD0A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0AE3-60E3-BD0A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE3-60E3-BD0A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.344{7F1C7D0B-0AE3-60E3-BD0A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:36.469{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB51BDD4882CBE3E5314392424E64C2F,SHA256=C2EE9B06335F191D14EEA672B7EB77CF64C511F19C5249AF6F4AF894CBFEF7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.702{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72F924B2074F2409990BD0CD246A59B,SHA256=F43C5F8D91956E705350D5BA4C672EA30B4FD298FD7EAA0F24917D183C6F3C02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE4-60E3-BE0A-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0AE4-60E3-BE0A-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE4-60E3-BE0A-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.017{7F1C7D0B-0AE4-60E3-BE0A-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:37.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6761E69CAF0C35B638ECF6F171EA815,SHA256=13981B7EC2CBDC863B419D62015D1A56C92651ECF98AF01E7941CA588FD04163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:37.483{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F29042411741682F26E9AEB10A945F,SHA256=A4F5089A0B051BED62749664146510F5CD209AA81C9E30991D9F4C4017AB1896,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:34.585{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:37.030{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E165EC45F52C2B155C18D497C1819895,SHA256=F90A7CBA062408E01540EDA55254EC17290D1FBBDD17DC5C9EF5BFA43F7C6269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:38.735{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F4336306D0872C07459A6D4F962D883,SHA256=9E716A453AB06979B6CE8152D904D514DB8048506D5A994B10943A70B124BA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:38.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBA579F296AE85BD98C2528992971D4,SHA256=4ACCCEC6CB6134AE4E6E7D10289245B8D19600AE316B327511B6B5BEE53155EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:37.431{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-35808-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000399670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:37.316{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54008-false10.0.1.12-8000- 23542300x80000000000000001454941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:38.516{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C6BA31193D1AC0A59418B213B4C81D,SHA256=DFC5201FA6A79AF433F5F122B0B2DF2A3598A8865B6F220248C64AF24894718A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.845{7F1C7D0B-0AE7-60E3-C00A-00000000D401}5121072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:39.534{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5BEC534224A499821C53EE42936171,SHA256=F9690B5ACF4C769EFC0BC2A1FDAD7DEA61895FAFFCD0A47EEB266829D86C5414,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE7-60E3-C00A-00000000D401}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AE7-60E3-C00A-00000000D401}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE7-60E3-C00A-00000000D401}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.627{7F1C7D0B-0AE7-60E3-C00A-00000000D401}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.345{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}40842272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.127{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:40.565{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C469F4830C48439E7712189E1070AAB0,SHA256=9865E491C26AE2F7207F8483E5C62104FB99870D6FE8A47F6BE5E6D8F13C56A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.782{7F1C7D0B-0AE8-60E3-C20A-00000000D401}25163920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE8-60E3-C20A-00000000D401}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AE8-60E3-C20A-00000000D401}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE8-60E3-C20A-00000000D401}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.627{7F1C7D0B-0AE8-60E3-C20A-00000000D401}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.157{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1916E8ECF8A607F614F0EE70A0FC8095,SHA256=914FE3F471E44ACB4EDE0CD82D12E808D010804F95B77B732AE64771183CB93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E589FBF26A1739C165A947E249A57C0C,SHA256=B2D94A25F6AFDF18AEE9BED755B4A650218F44F0DF57F8967313038B3858046F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE8-60E3-C10A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0AE8-60E3-C10A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE8-60E3-C10A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.127{7F1C7D0B-0AE8-60E3-C10A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:41.595{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E40578882B89FD7D6A5F21C2A9C03D8,SHA256=5182356B81E5059885708EC4EC0FF6120DD522E1B2418DCC24A503203669DD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:41.673{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56B856B93F51EB28738AD8B2FDF36971,SHA256=9BEAD0230EFC66C6BC4BAAD44FD2B4A123C1CBF70B6F0735F3A8E3E8483641E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:41.313{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA082E32F59BB537E9690B1A9F4EBFDF,SHA256=CDD07E5893D5758208AF62AD0C43505D0E34A40DEE0B7291F272961D8E3F627A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:39.596{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:42.611{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC0B6859047E8CD092A493C41DBA4B2,SHA256=5466C034C999ECD15747D7401E5213E38992669C202AED29AA34CBCE06FDFAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:42.548{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79A3371E48FED1836AD88AE6EF47F3C,SHA256=7201536C3E3FB24EC7EBD15AD6236AD6CED434F42CED319AE01348CD6FA3688B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:43.548{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6930A85BB652872744171B8F24E988DB,SHA256=54E9672D8064B9298150A88A629F236135E8494C37FC0549701A1CBF7D731C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:43.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB304F7269690DE2F03501CFE6B751C,SHA256=16EFDA0B5F603609300B7E29BF39AC4FBE6B35F5509E0D4EC9D36CB6881C3952,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001454947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:36:43.062{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a2-0xcabb31d0) 354300x8000000000000000399736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:43.287{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54009-false10.0.1.12-8000- 23542300x8000000000000000399735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:44.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E86C96406B71B1A3EED01AD6BABFE5,SHA256=186AFA8F4EAEA4FC8CBEC2F3B62586409CD9A1A14E45D91B3D4AD5D6B5E67264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:44.645{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDE02A95E11EFCCB3A93AFE6B694BF6,SHA256=541A8998E463D239B665D4DBF41768F9F71AD6842794379624A7DF34AA139353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:45.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD1E1774A8394800BBC5631EEABC3C7,SHA256=17271FAA21A8284BC4BBDBCD0097E0AEF32D23320BF80FC95B069406D90B46D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:45.675{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2391528E485DF7F1D8361BAA6CEDCDF,SHA256=EA7B83FBA65FCC05DA4CA847B3A15F665F8673913B54466036C72B4C25C45789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:46.690{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA0981A6F22A4E223E4BB8E4232994E,SHA256=A13805322CA3AD6DD77AD8C0532DC2AB7E782DF88C83FF432632EFDBB37D54C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:46.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AAEA4ABB49AF44A7BEACC55F039B97,SHA256=F8F2D1B363E39A4FE2AF53B1EBFE7B143F63E3212119E2967130EAB5A7B82648,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:44.607{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:47.707{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0D6BC04C6C006319E9072795866082,SHA256=A35EF2A8DD9816D68A0A81241FDA35F7990419744A3B8A1BF43CB1C6D4823A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:47.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B74C87D7E659E52DB7CBD3E973A59D,SHA256=587545E2F86402CAFB325E44D4AE8DF86DBDED4F33796907616623B784433702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:48.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B1C8C29BD46DA78AD3F393B6E1A3DA,SHA256=77E92E9A37E6FBDBC7496C12134962E0FB32178B2E79A5EFA78ED90DD46434F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:48.725{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337FDBAA944732504FEB855013E153DC,SHA256=04A503F002E2244B6C71D8E6DD5007A06CA9FD8F999E706571B2A120AAF2F6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:49.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEBBF656504C576DA5EF23B041E692C,SHA256=1B3CDD2AACF76396B52BC7B2836F37FC76FF5B56BB036B68A9B205735C5309DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:49.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01CEABC5454D5535E16779E9993F726,SHA256=87FA561492F87D8DB91F5F5B5FFB2D67C70D154AF2A95D4F1E378B79B6A643CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:50.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696F6490C3085BBE60104F88F9010135,SHA256=FF9F9BA65D86AD38E4B7DE7AB3AFEB81EE3F073320F6D3667F4054BE164AE50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:50.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462A17F514D342B61F9431139E1292ED,SHA256=57C476BE4C44CE8EA9BB3A30ECEDEBC2F4AD40D69C2F215A5A645BFBB3C8DACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:51.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D7481572B7E65912116B3E6B1707F2,SHA256=CECC57D3C3766A79CFDBEB8F1B6903DBA0B8AD0E62ACC15291A5BB3EC490A0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:51.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17C6C102ADB071F95C27DE8F137C669,SHA256=492296FED49DF4E2B2820B3567783A3F86F8287DA16F77DC55625A2FE1F1D264,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:49.272{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54010-false10.0.1.12-8000- 23542300x80000000000000001454959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:52.938{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BBB46BDF0B7A5104C6498F07E252A6,SHA256=8D5C3432747B3BB534FC02F684E8CB4601F6EC8227A36B1F33E2B9F54308BE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:52.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004BF8CE63BBB1D036E78B798AC9A729,SHA256=5D69411D13964565508F94B4B2B6F49FE5B3EF81263A5029DE6E8893E909F69C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:50.633{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:53.968{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E57E33421A755130A534499894242AA,SHA256=8371E62E860DBE88C3409159D078752029021270522BC9B4C60DCD338B330C63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:53.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452884BD5DBDA1ACAA48DAB9C5EC0361,SHA256=068946C93EC48BB0263AC8D7ABED3EB3C4858AD17E9D1243FD1C15D57D86FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:54.982{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8684F29D5FD75DF530DD6B058AC3982,SHA256=AF007A687DB916B7E9B5B617E419411D2EB3F765F9EAFCB5F1F28E5C1E81F818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:54.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDF00FD722BEFED5C91A6F980C4FAE5,SHA256=F5FBB44F8D7884BC83F518718327E09FAACD357E4B249792541F1B327860789C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:55.999{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FAFC4A19CCCAF2F118E0AEC1C92B12,SHA256=01180CC90F52DC89219A3DA1F420AE2F21AC4E51A5B4C5D1F5DA6D585FF4E7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:55.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D9F590B6A9CF018348AF250A70C81E,SHA256=292E6B5E53787046419969FD5448B376EE9E32AF25F5C6E6E2FAE77AFFC7DA6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:55.256{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54011-false10.0.1.12-8000- 23542300x8000000000000000399749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:56.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C946E87FCC0F48E8FA1A396EF95BEFEC,SHA256=F17461ECC351F608721998221629002004774FBEB9645DFB45229D0DC4C4E993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:57.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A68811092958D18980A8187160B57E2,SHA256=F6589768DF80010736CE2EBBFA420C4693AC0A8A34CB8F4FE03C16D605120AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:57.018{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684EDCA8D49461E47676D66113E320F2,SHA256=22124EC137419B8936D52E56EA7A9816D3EF138186DA955A86374F1F2CB386FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:58.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7A7206FDD86B067724B3CC416E2B9B,SHA256=451C9C9A45C44A47B6FFBDEFEBF66D574B07F8EC9B11745FF94954D8B7D5C624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.997{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.997{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.996{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AFA-60E3-540B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.996{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFA-60E3-540B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.994{D694AEB8-0AFA-60E3-540B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001454965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:56.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.032{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A78055E098389E4957DE53356696148,SHA256=B70D06B1201262FD36B81B9988565650D68C56E39ED3BDCD9F2A18278E731671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:59.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB483DA8805D1DBD5142115D501B8F1,SHA256=C2DAFFCEDF32FB81B7F6E312BF780587480ACC3CC7D18AB83ADAFFB82E670FA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.877{D694AEB8-0AFB-60E3-550B-00000000D301}57446316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFB-60E3-550B-00000000D301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0AFB-60E3-550B-00000000D301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFB-60E3-550B-00000000D301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-0AFB-60E3-550B-00000000D301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.047{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0CCF0DB563EFE150D9468965944AD1,SHA256=0AAF83E44C1F39B8D3986DC688CFC70DF7F3195337B67EC5631E6FE3BFA8E7E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.998{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFA-60E3-540B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:00.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589A4DA1B3218AF896126BFA9B1D3238,SHA256=4E47EAD4A5BCD5EA1B37C685B62B3336ACF4173CE5405A90D6A0D4FAF8837114,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFC-60E3-560B-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0AFC-60E3-560B-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFC-60E3-560B-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.362{D694AEB8-0AFC-60E3-560B-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416D81F229E2F742BBCE2D1B729F58E3,SHA256=AD63FDB48D2364D278417300FF13F83DFD516C20CFF37F96B5D6423209D9C0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63208E1652F0C47353D27ECBDF28B9A8,SHA256=DF8B670B1DF89FEBA7C1BC04A4F8BE947471175B3068DCFFD3A3F55BC0F20CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F19BEC427F784A3D908F847AB9507D2,SHA256=A14A0A79C649F3407C96D573114C0F5EB17540C6D2CF2B5CD037419D86C8164B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:01.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0EBD3DE44439F82F00059E564E0BCF,SHA256=80CFEDD201FA92AE13CCF93A1E202A1395D1BAEC481D2C1D6E05F1F0CDB68EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:01.413{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63208E1652F0C47353D27ECBDF28B9A8,SHA256=DF8B670B1DF89FEBA7C1BC04A4F8BE947471175B3068DCFFD3A3F55BC0F20CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:01.063{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98573FC9180F44982DCBB400DFBBBF7,SHA256=3F120C752C3DE4BB2E9914D829E5A3CA6E7F48BA48EBA19D918BC2F04079E64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:02.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B96CC7EAD0A530340E9EBA0C8DD4F27,SHA256=1EA3CFE407098976845AF08A8270EC5EF83F557C1B0AA819829154C219AAED83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.875{D694AEB8-0AFE-60E3-570B-00000000D301}23286688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFE-60E3-570B-00000000D301}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AFE-60E3-570B-00000000D301}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFE-60E3-570B-00000000D301}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.714{D694AEB8-0AFE-60E3-570B-00000000D301}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0943D47D3783E58AC97BB38DC29A3232,SHA256=13191A50502990B8E92B85010B7E483E27829A34700BC1508DA90DD9135FAC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:03.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE766EDCDB993E7885DB2E4BC18E9F5F,SHA256=F8FA8C4B23F24180D4BD3C3019068061F39EE8234D2DA0C021D4E9CD6315351A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.843{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DEF8F23200813588627DE9D339FBE76,SHA256=BCD484A671AD7DFA903676D93DA6C86963EA40FE47AE050991A1752545F23179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.512{D694AEB8-0AFF-60E3-580B-00000000D301}4324552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFF-60E3-580B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0AFF-60E3-580B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFF-60E3-580B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-0AFF-60E3-580B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.112{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461FB01A5EE31A8F8F252F458E23FD10,SHA256=84ADE9B991300B22F67B571FF4693D9F7A34CD97F67BABE3C8D974C9D336FF77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:01.257{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54012-false10.0.1.12-8000- 23542300x8000000000000000399759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:04.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CB7B8E4CA8FC00CD7E110C97D15B8B,SHA256=48C65B499018F5C8B6BE693084A57DBDA6D8449CE38BAC73AA65BC01535C1E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.974{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E237BDF6BDE1D0C3A1190DB19D0DAFFC,SHA256=64762F144E6E8AAB0D793E6C32FBA4399AD2DC645ACF0FDAD33ACB5C06E18D9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B00-60E3-5A0B-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B00-60E3-5A0B-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B00-60E3-5A0B-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.729{D694AEB8-0B00-60E3-5A0B-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.197{D694AEB8-0B00-60E3-590B-00000000D301}52085040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001455027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:01.659{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.112{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F34C1A938B1450E757605725BE2854B,SHA256=8509CAD73C5A3C4C1919A2DD307FA5B5C177C2FC30BCA3047AA143123D0830FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B00-60E3-590B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0B00-60E3-590B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B00-60E3-590B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.045{D694AEB8-0B00-60E3-590B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:05.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA29A111489F6CB297B5D18E5F2A646,SHA256=F224736735FB4AE5B567F6C54D27CE3B34EBE3C9117695AF554D4907D9F24D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.406{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61027-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.406{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61027-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:05.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAC005A5F5C0B0B5672C4467206B4D8,SHA256=F39A6663DEA9008548F2B700EA6C46EBF0B04D5BCD313989BD3FA42CC178B0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:06.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3240159B2ADBE433C5F5AAE51C1815,SHA256=452D87E36572B108C3858DB718322E950ACD1C477D0ED3D65DDE5434BA018699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:06.142{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4D42AC5A814735459EB4083E9640D8,SHA256=7DDE7FEBD3E5FFB4F25E7C09281E910B441C3BC6C3435725C118A755545B8D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:07.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0CE2EE65190018021F1B3B4CA3E5BB6,SHA256=B2A54F35E8796E21FF8BB0AD8E6E90713461972C3EB6EB151D8BAF11E912035A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:07.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6513B0E10D73B07912259962311D945A,SHA256=A9FF1E1433BAC80F1878B89308D5562EB4D0900C3929B3DE88C4B49A9ABF5AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:08.782{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130D8A00E743BC18CBC0F9FB44BC466C,SHA256=62AD6F17D3CB70C0F25F93B47D26C3E3FB2721830BEB77A8C7D3070DAC4F4F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:08.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79B5994DAA014473C7B066AEDA1A6AC,SHA256=012522C89ADD59FFBF1277AAF6125AF104B96BDD34779A465CC11F5F49D5BBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:09.798{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BC30D90C56B8F38CF97AE835C278A9,SHA256=ADEA31286234B4DC1ACB2ABFA6B5CD054921C87CF5630DDA21C09D1B8BDA37FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:09.190{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766C3D1816A29ED4A04A7D54B9CEBDB0,SHA256=9A0BAEC8AE97C967BA786B989C83BB6BF1E4C408B1E8CEBF8794408EE63499B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:07.272{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54013-false10.0.1.12-8000- 23542300x8000000000000000399766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:10.798{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFBDC09772507F9CFEABDED42F10764,SHA256=369248DD4E07A8B7CD7D53BBB50175A4159B69C32B3EA7C845E3303157C82860,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:07.657{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:10.208{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6714C12D0CED89AC832252590C9A464,SHA256=8153D34368F04F835470ED75187554D738912AF1275A4106601D64122DABECDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:11.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6918F0C78137BDADC0F7DE7CA0553D,SHA256=7C07B9B7F735F0A3EA7DA4F1DC6835972CE990672CFC26C218E2E95B92ADF906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:11.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8422B9777338C4F6D56090A9D1ECA1E4,SHA256=B0D0D9FC9FB871A0775B370ED75813D672A04D825372544B60CE960224E1C699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:12.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA864DA379DEB9CF0709CAA3C03B881A,SHA256=3C5BF112AAF1D5DDAAD4FD37826F4920C0A248E52FDBAD5A0A48B4EEA41D504A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:12.237{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9B87965C68864C264F9B7C666A9247,SHA256=4AFBBEC666590118AEF2FD28C96E137B6F4940462E94A29D47FAED655020CBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:13.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE316507D20E151F868AC747B09B7FA0,SHA256=10F69AF5E0F9BB9B58FB612A88202D4FE1777F352D156E945618A3500B7C1023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:13.267{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D65070A5A9FE0BAC1B927005BDDAD34,SHA256=7B7ADEFE9243A4B2F82A6D828B90050ED84E954F75B105572D8D4957715BC7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:14.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF37ABE3DDD50E69DDC8B26076F64359,SHA256=229B4E3975EEEE5169F2139A78D5DCC5CCBA20E43D8C2D724BEFB4660CCE386E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:14.618{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=43BA2A50DBDD3681EE523BE05BF65976,SHA256=A54A3E10428206109A87D8EBC0BB7443BB2DBA6368F6327599CFDAD001C505C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:14.285{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A53C7D60FF0170708A17E19B26617D5,SHA256=1F4E005A2A22B71BE730D0F463112B4F7427C0DD85EBE02D88E1757CC91595C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:13.241{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54014-false10.0.1.12-8000- 23542300x8000000000000000399772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:15.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2AF6A9D9BCC566ED7CBEB5CD0A2ACB,SHA256=D1BCB26C134A5C0900BB765F860B40438A6D0792FB679AE1DD511C16EECA60E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:13.650{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:15.317{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B5300D771FC401DBAE247FBAB8DDFA,SHA256=F09494C1A36169E3B97492A422D8D9F6C5DD315E4D00D93A154C03CA656310A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:16.335{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B564F515C4CB3367684A3126C8AC6139,SHA256=32D9449FE1E4429F520EB86AAED5FDCD1079BF255DC13C82266A0EA45164DE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:16.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B23FFF2625838E4643D0C5CE108FE33,SHA256=418F134DB22534F7E7993985A57B9D67CD26883D73AB353154657A75DA4E0E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:17.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4164E5130C9D3B18D30D442CE8630D1,SHA256=D392EEC87E09C12BE349EA540232A84B343FB7D162D593FF55CD7987A61CFFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:17.382{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F3C90371799D725B132DA33BF139FD,SHA256=779B6D60E9FCFB9B76DECEB56D33B2F1F5F981834CB0E83B3CC792B3DD221468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:18.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE5E4371554703C56FB7CB40F34550B,SHA256=CFF3ABF040CC9DBE1CFC92F4B8EB303E77990588B53DF06EFB900CD1B1C546F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:18.401{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CD2B23611D0DD8159907EEC339A8A7,SHA256=2D799DA9A12D8C05EB857330E709F013031898BAF6C19C4F6EC45CA9D7172744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:19.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C585D3679F9920F608E052AFB9BFB1,SHA256=DD8C20C09ECE2BDA53C89577F3D4A7F8F3F1FB17A4E70B88918940263D2E589F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:19.416{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386085A033CAE388CB4F5609409687F2,SHA256=466F3758F5B94997DCBAFCEE21FDE2F2FF50758833FCDD8FDCC6C094D4D326F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:20.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF2FC55EEB59DB5645588F9D62D49FD,SHA256=051AACD4B7E950C65BE05CF2AE6B1E7C34A00F4E8005E0FD5940859F64E25D59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:18.663{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:20.431{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F5C61BA09DE14CB33FB9CD7E109FBA,SHA256=49C0D2B7B1696A84C960A77B6FC4679EC12297698C7804676F9E3E76417DCB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:21.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD95BF68D28D4BA2A9A4F059D1FCF90,SHA256=B4293080D380D576496547F8088D198C27BDCA54EFD4F4EB8D6731F2FF2642A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:21.462{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BEDB6A0DDFD1F495F78E611780CDD3,SHA256=E5C115F855287BDE18184FDEF4E7106DD37D9914F940F8D1AA2493451A9963DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:22.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBE917A44AF57B65656E7B3CF3D6DB9,SHA256=A028D222551723B54BC6B810D7CB89D9E5D2ABD2860DA283264AC011F32E5EFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:22.498{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:22.481{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282654B5597272A2E502A44976B36848,SHA256=68DAA3BD36164167C014BC860ED513DA060B877BE0DEBCE56471346FBEE96248,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:19.225{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54015-false10.0.1.12-8000- 23542300x8000000000000000399781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:23.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F9FBD3F7B93843A189A60142429699,SHA256=F595E2FF977DAD0BD0094E0D2860F22EAA3EC9415C983984FDC23D99715C0CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:23.497{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC3A76E0BE9FFF6E8A3A5508E71C762,SHA256=1229019B91F054511365FAF7BCB2C30CB7BA6A4648822BE8429F75AF424E968B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:24.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0286A0F80156F22DB9D276575A8037AA,SHA256=37A6235796268F26391FBCADAB85444F3D201C0E720A5EF5729DC9271DF92A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:24.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39BCD7ADD2CABE2AB6D624C15FD9239,SHA256=ED96648BE786DEF99893619A0E59884B783E56C6F191EFC3EC25DF513313C649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:25.845{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FAC049D020D0C7B888F1681DE502D9,SHA256=50A23801B342D51DCC423A73F5A860E50BF6AE8AC5DFB82F827EFFC5D125DE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:25.526{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CD33EDB6081F077E59A303F19F38FA,SHA256=1814292A93E39EC5342719F7B7FFC271A91E269D19C814FEFA5455C785B42080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:26.892{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A69D08785EEDD4FD4514BD816D25EB,SHA256=81793B6F137B4201D287A4FD00DA58770FFCB0D412D9FE8ABBB74F9B5BDD297D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:24.688{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:26.556{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F6ECC98779E0C33572C9AF02114B1A,SHA256=FCF48F3EF119EF182783047F29552E784C0B42D8D7F5673F0A65E41E684F2824,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:24.444{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54016-false10.0.1.12-8000- 23542300x8000000000000000399784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:26.376{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E2422BFA9514B6C0F7FF9D01ACEBDDDD,SHA256=A73C679E00F14CA51B470238FC34000B04F5ED7D3101F63DC78FAF0E5B18AB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:27.954{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62C5CB7E1565937A04CACE73AD12BFE,SHA256=F7931DCA2885E146F9E932E2FD56A8AA7FA1866A51F128A5014CEE769E8E98C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:27.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3467CE6DD7BB5B34CB47B61072292,SHA256=D1381C9D02DDFA9FFA0F9B9912817BBCC55824E37DDC0969AB88113D7B27B092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:28.954{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1DE95678C2BD843025FC0C1E682B61,SHA256=4A676E60191E44B27CF125305D67ABEDE3CD45EE5B5966F56BC9244A1591EF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:28.591{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777899023300B35EAEB6BD808FE62F77,SHA256=3A2D9B4F942D54A207F7039AE53FD48C21CBFC53BAAA81FF89AA34443A567C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:28.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:28.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:28.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:29.970{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4ED827A915BF1B27AA7C88F40E78AE5,SHA256=6C789B3AD6DA2830E954665F2F0C0F2B030C760432953FE4DF35C20BBAA474F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:29.606{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE412E17A2B28D745767BF03CB747F6,SHA256=D0515CAA9FB61963C2C123DE36C3E24A5DFA86F97933E4BDB99917E45821E5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:30.970{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7078AC480BAD6265C6D7DA3524CC9B,SHA256=BEC9A5AB892D708EC6A5AB85AE7DA7EDEE4BCD6ECC4045F7E794B02651EAB850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:30.704{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:30.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB03296C3472A69D8544272BCF7B00F,SHA256=DE333B759B1D8251F1F785538A8C43B881A688D7FE18E01BE5213F0ABDD3A8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:30.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC3C01EA842F7AB2437B23C2B1A182F,SHA256=08977AF162517C4045B105543A4564C455972D4A03CACB82D41DABFC876BF471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:30.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78B625B840CCAB2DF3D947FE1DB3E9C7,SHA256=B45E5BAB499FEA4939D37A1D09DF1D8D1F995A3626366B4184DA20ED6AB9CFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:31.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0181CDF9F85733CB9D7104B7150085,SHA256=DECD242BF9E1AFDB00DD244CEAD2F8256ADE9F7A6779A138565B82BEA5F20621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:31.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341E7F01AE6645B30E34C0D98830F857,SHA256=70762CBDF1285699DF7607B20BC4D081750FC2F8AEE11CF119D6F2C3E9FF8EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:31.360{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:29.567{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-52027-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x80000000000000001455075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:30.136{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:32.650{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CD2F2D57535CE39F0E12A87935A0E4,SHA256=159F95E8F00626B4F498B30E9AC81E73D49D9EAE45A4D6956ED6B85A9401DE8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:30.444{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54017-false10.0.1.12-8000- 354300x80000000000000001455077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:30.698{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:33.667{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C84E4698E362BE38FFFB2B421092C7F,SHA256=51AF4D630CAC0C9F7CBB6A4862FC24118C14CFA77D93721E0319E92826C7239C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:31.554{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54018-false10.0.1.12-8089- 23542300x8000000000000000399800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:33.017{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D7A912AA099F09F5D4127E58CFA33D,SHA256=DCE94044327AA3BB2F3D8ACC680ED329F8925FB795EF232B5752D9F622697D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:34.685{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F02C55965B6C53E5B6E6523D1685EB4,SHA256=435BEA3E003081441C4D7CD49F4B6C44FB0D05360EEF8D0BFC664EDE409485FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B1E-60E3-C30A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B1E-60E3-C30A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B1E-60E3-C30A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.674{7F1C7D0B-0B1E-60E3-C30A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.017{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DEA965F05148359D8DA4D243F26170,SHA256=1FFD6BBA9B2AEED7BB6705A0862C8AC785209E3B8F2C6DB6B43AD738F7D62E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:34.033{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=61458C4E1FB03C729CA9C6920CD88F49,SHA256=1D58EFADCEA8D3D6E7419D71327EAF81145FECEBF4E58EACAEB17F2A41226E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:35.715{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C226D6D10F82DF11EA4A577F0B294E64,SHA256=624C7B7AA38AE498EDDC8392A13FD55C5EF0F2D5860A0E1735DA27E2386EC252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.876{7F1C7D0B-0B1F-60E3-C50A-00000000D401}26961264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99DB516CF8ADDDF48B06428F8BE2928,SHA256=7C18D88B1A6E5EF3D0F95CE42CD87E89B5AC26C6EFA6C9E6E23FBDAD50CCBA73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B1F-60E3-C50A-00000000D401}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC3C01EA842F7AB2437B23C2B1A182F,SHA256=08977AF162517C4045B105543A4564C455972D4A03CACB82D41DABFC876BF471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0B1F-60E3-C50A-00000000D401}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B1F-60E3-C50A-00000000D401}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.674{7F1C7D0B-0B1F-60E3-C50A-00000000D401}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B1F-60E3-C40A-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0B1F-60E3-C40A-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B1F-60E3-C40A-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.174{7F1C7D0B-0B1F-60E3-C40A-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D506FE6246CC94C98295035784E8455,SHA256=7EC0F8BD20965AFDC3CB1B0406299B0C72BFF7942A4DEDF36DAC11E8FDC232DA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001455080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:37:35.615{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a2-0xea0e32c4) 23542300x80000000000000001455082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:36.745{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384BBE141C2FEB33582ECC3EF1529830,SHA256=7B0BAC2EA532EA4D061EFBE58FEEFAAAA300C22C36C940F99FFDA067170C0835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:36.722{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99DB516CF8ADDDF48B06428F8BE2928,SHA256=7C18D88B1A6E5EF3D0F95CE42CD87E89B5AC26C6EFA6C9E6E23FBDAD50CCBA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:36.157{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D47D2ECDBD4072D16E2297493346A94,SHA256=62F52B0E2954F9BD6CA25AC4EB93DFF5BA7CB8583EC1751714B2D13915959094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:37.763{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4714C0029E2019AC105C19D9A7A66C4D,SHA256=5364627C73EC793A37F7652C90CB7EB51D2D42D9ED912C8D405C49B18FB0E3DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:36.460{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54019-false10.0.1.12-8000- 23542300x8000000000000000399848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:37.347{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20362723626B5863556B3495B1B424C3,SHA256=BB241444012E9A71806E1E5681C3C557E10B9C81442B04FD0D89DE1F38BFC95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:35.046{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x80000000000000001455085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:38.812{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBEB2FD4E5EB5C2D0F644D04E83209A,SHA256=CA8CC0DBD204C46612F602B5E9DB5EBD1BA1CEF63AC9AE5256AEE9BA5FD7AA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:38.375{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63B0B3BCE2B3D9AAE35BB8111E6BC11,SHA256=4A8D2199719477CC0EC565E19053FEF222546F11B839B70F7472A81F06012BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:39.843{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA01CBA0AC997FC4C2449681FB9E697,SHA256=B8112DB09E2D6FD0297B93BBE3FEA190F4067C8EF27EACEB582284211BE0AC2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.783{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.628{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.424{7F1C7D0B-0B23-60E3-C60A-00000000D401}27961644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.393{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5284EE15F4BBF59B8337B80FBBE7BBEC,SHA256=8EEC6862D9A317F3BDE4BFFFDD4F483D44A529E3E2479DAF1D74E71C8EFDF070,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:36.644{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000399863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B23-60E3-C60A-00000000D401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B23-60E3-C60A-00000000D401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B23-60E3-C60A-00000000D401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.128{7F1C7D0B-0B23-60E3-C60A-00000000D401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:40.859{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92CA521FD2C1741A5B6927D77725C45,SHA256=5D798808956015E3D09DAB5D04C889A062942AB2F3C6FC0EF5FA28BC8D529E32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B24-60E3-C90A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B24-60E3-C90A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B24-60E3-C90A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.784{7F1C7D0B-0B24-60E3-C90A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.533{7F1C7D0B-0B24-60E3-C80A-00000000D401}34243364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.502{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AA7ABFFDA1BA80A09C7CF7815286F1,SHA256=DDFF8BF9DD4A09119E85720BBEA2E028CCA6DC55CAB6480C453208BDF5611800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B24-60E3-C80A-00000000D401}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B24-60E3-C80A-00000000D401}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B24-60E3-C80A-00000000D401}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.284{7F1C7D0B-0B24-60E3-C80A-00000000D401}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.252{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F5D887773B6A20B99E94884DBB2CA10,SHA256=4B8035CCD1A6CAACE37140ECD6AFFCFA4C51FA42B06890F0C76DB369E85D537A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:41.877{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B8D957F34359FD3B32EDE53A2C508C,SHA256=8C19A59ED5D34EC89E3C05544D8596AFD381C4F0D12F8C5ECF4A34679F4DF1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:41.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559B243B6B0D606CAB189D646F652B86,SHA256=62214577FE7CBF921B3929BD60323448E6DC694A22EAE8AC0F752749CD0A478B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:41.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C01C36B706EA63E55F0FE5D36634381,SHA256=3C594A05EB1B1B5AA49B437A08AFF1F5AC8937D6A7B2DC0CAC672E649B438D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:42.907{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45046791A5F7940E5030290C2785BBB1,SHA256=75FFBC4A997971E7D1B364A6FBEBCFA5A368BA017F04BDC9B73DB8C484B58BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:42.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AE0C2BBF1312AEC0AD009165647092,SHA256=36A7AB9AE5C6E6B6D2EF1AA9755D4C7E5160DC52A6D3448AD9B1786E9D93C99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:43.937{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232C925D7326DF3E4CA25F2C8E18B714,SHA256=8EB315E71C7CBFF26EF268A61A486573780DA67B0B9688D3A2EF580E8DE9BC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:43.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E5E2A504B318EB2FB4E4974CB6EAB5,SHA256=62A77CA17856E057FB6E97B2903EF7422B9C42950D550F85B98CF507AABC8393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:44.955{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61CB1D45059C1441C988C99569BAE6B,SHA256=84BCC1047420ADA7E56499BC0A0AC992BC0688203811FE01AF020F1D84F6F6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:44.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FBB08ADDC84E76D179944EE3982019,SHA256=5BCA7BBAE83CC50AF94620DFBD6BB8DB414B729DB2AF2E74CEB3F4F32E5D7704,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:42.446{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54020-false10.0.1.12-8000- 23542300x80000000000000001455094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:45.972{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCC309D7693643881B67E68E28E4C0C,SHA256=F3094135D7B242062DBA6D20FA14134EEC39FF1B897DEEF53E4E092A517691A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:45.565{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7E09B2F7965D357E550F40DF9EE9C7,SHA256=4B2FF8FC94259C742D2BD89DB9D60FB0476BC95F8E0CD91B3AFDB71B5E39D474,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:42.637{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:46.565{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A069118945E184CEEE9CA539EFDAC243,SHA256=6CDC645C0D8DDEC331843E10E29FAAB2456F87377BB5862CFCDF33C0EA918B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:46.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D621DD90430080B69E45301B80EB1AB2,SHA256=FFFF0E94BA32B930A6257765FF487609453B31727E45C20323CC739F5FA99584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:46.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1DB6DCC0E9FCAE955183AA83E9C0AFE,SHA256=E153494CB82A80242E65E1CD620B43240849B5320ECB4BDD8E2C0ED98C57948B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:47.596{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B8B01F68E5651D89A86BC2B35F97BE,SHA256=B8CA35AD45D55B6B1328DE31DAA6400A0FFFAA0B28BFCEA71151C6067A92B2EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:44.684{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-59980-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001455097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:47.003{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCBBF6E247D0C52A879C36120358E6C,SHA256=41F55161E17C999D126DB3BD314FFD0777C59615816562966513D487641DE18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:48.612{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B0D91E69F3EF69E58C946D16DB02A2,SHA256=69E69124F0318B7FCF9C476210E7010A932FBD64DBF8F18979A023E9F3E203DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:48.017{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28310C9CB4BBE9E093C45B9EEE0B06FC,SHA256=C5C0F28088AEAB674903DDF827A8308E593AA4C3019B371029B56B434099CED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:49.658{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF92E81B686093DB780EB9E6F9BD5A17,SHA256=B7B6649D33FFAA333D293FEC24CA12A67D643BD8FD7D5EA3BB97025C5AE98A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:49.033{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE13485EBA32A29C468EC39DEE688BF,SHA256=9640A820D90A6EF4D7D589F41049E8A9B6581955E41835E2F51E4F886953405C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:50.658{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090A37D4758B4AC210AA12696892D171,SHA256=534B824A34A2908DD7BB587D355174D8F92DFCBD713888E5BA17B033CE118941,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:50.468{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:50.468{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:50.468{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:50.050{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B4797E57AA30816DD4A020A12241CE,SHA256=808D340E21E2C7E054F83FF2BEFD9D236E31FCA843310AA220534E33AC1900D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:48.461{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54021-false10.0.1.12-8000- 23542300x8000000000000000399922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:51.752{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011DD1BD8D422D2E98D28C9CDE73DEDE,SHA256=FB703434440D7C69357706326909BFF8D985A03670659A8356F081623D3CB32B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:48.647{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:51.067{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27778B3C63958ABB56C9DD8A79F856B6,SHA256=9C93376E501153299B5F5AD123D1F392F5D4D1264AC13F1A63876990361E68AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:52.815{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679FA902FC63443E83D9E3351D8467D1,SHA256=F0EBF6882CBA5B6A50CA66F50E779D2F714850A39E6AD3A2D72188150713FFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:52.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0802ED0754B211B65E9BD277A7C0D8FA,SHA256=2C7420F0669E15FDE96AAEAA5C2FA299D1BB8DEDAFC68E65D69D2101EFD79A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:53.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F722B59BD05DA5974CA6F2AC9B089E,SHA256=123D386B14D287C9982F8947C42FFF819D2F5E282548146F948359C0D0D88D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:53.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB9BCCFF1BDA3DB61A8877D61E9F119,SHA256=1A04C8E1A268A289A2833C42D33BD78F99C9744C90F1293AD16D3FC6C45DBE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:54.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077A1893E201A9FF62FE101C2DAEE3FE,SHA256=E42945874D6135970F3991D8AC32E73EDAB453A297431F942BDACFF3C1BB87D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:54.196{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC374CCB9BEE9FB241F2EBC56969B2B6,SHA256=9D5EEA9B6D4197F82724EAB62DD48F45BA68803BB898EA1DC9C9EC25782E2C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:55.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A998939AE23037B526A1C18D9D0999,SHA256=D8A97917925B0B75DDDB4C3C6EF872FABBB5CE3B94480ED2A06780D153B4F5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:55.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF59300A7BBF49F1D6955E7BE0E23237,SHA256=F6E205E95B3D6893F6C26EFF8ED22B298217BD076F678995ABBD18DD3917DEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:56.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EC67B536F1CBC34AE793662349ED33,SHA256=4DEBB32EABA8BD77528D37FED866EA0CEB9C6801E7E42EDDB98728FFA2049A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:56.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E2BB4A2EF640BB058945D6616DD250,SHA256=8988F127D7E33C43AFBABAF28B56C2AC48C3D8290785C293C721D95CDBCC907B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:54.430{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54022-false10.0.1.12-8000- 354300x80000000000000001455111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:53.674{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:57.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5334DB05A32FBFBF1B36337CE90AD5B3,SHA256=A2E443E4601966C31F54069C07AEBA1A351F9ACBC6BA22734BFCDA34AC6DBE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:57.292{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D2DC32BF696B8383541B89C0F34B1F,SHA256=5DCC898EB91F84803904B3B169236BCD828AD14A1D4A59520FF8482A4A1B163A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:58.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE69B939D56DFFA8686E8F1B33061DE,SHA256=7E15912802B4EB868C104986CDD8DFB44C84428FA07109BFA5A84A83E49C6B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:58.341{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4ADABA65500BEFFC03FF486877708B,SHA256=CEC6EA6D455A6DE0F379A1BF611009CFDCCE657F306EA600B0D0505B5CFB3FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:59.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6914B1D0889E88DBC68E9A9D3E27AB6E,SHA256=015B3227F2D9BF75753E19449BC5917D5DFAC9774E59E7F037C034BB0A8A5526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B37-60E3-5C0B-00000000D301}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0B37-60E3-5C0B-00000000D301}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B37-60E3-5C0B-00000000D301}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.675{D694AEB8-0B37-60E3-5C0B-00000000D301}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.359{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4633B2EBF4A1C1CB72F0BE24C33C126,SHA256=6420903FBA9E7C99D999189CD56A9003BFA46935978960A05A3C0F0145345593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.159{D694AEB8-0B37-60E3-5B0B-00000000D301}70644784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B37-60E3-5B0B-00000000D301}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B37-60E3-5B0B-00000000D301}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B37-60E3-5B0B-00000000D301}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.007{D694AEB8-0B37-60E3-5B0B-00000000D301}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:00.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0BE50867D77966E661B32FBD3F9E90,SHA256=71E1A539BCCF09A4E86F8A781433B9E3CF4226DC674CB9ED631F0BB1E12EC6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA57D276F51398B85BB6ECB75138FEF,SHA256=DF0B491C7AD9F925B77B876BF55A77E111F4E767C3482F7D2535B42F3826DBC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.341{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B38-60E3-5D0B-00000000D301}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0B38-60E3-5D0B-00000000D301}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.338{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B38-60E3-5D0B-00000000D301}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.337{D694AEB8-0B38-60E3-5D0B-00000000D301}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B4B6EF3EE2C5C4DBFBB7200F8A79CA2,SHA256=486293C2D7A0796D45216AE6902555AC94F87609A6775A4C9952CFA2642005DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D621DD90430080B69E45301B80EB1AB2,SHA256=FFFF0E94BA32B930A6257765FF487609453B31727E45C20323CC739F5FA99584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:01.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687F34084DD9925C073DEBB4D95A179F,SHA256=19951F7EF7D8512064CCAABC586F5AF1B1EA4D05E67388846594E6F3BD599A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:01.404{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14830520D8DA96FB07CCC075CD95A462,SHA256=98BB965D61DCAB3F84503C2AB8A3AEA4B86A0CACE52DE035CDB5C97F349C51F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:01.358{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B4B6EF3EE2C5C4DBFBB7200F8A79CA2,SHA256=486293C2D7A0796D45216AE6902555AC94F87609A6775A4C9952CFA2642005DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:02.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A9A111817CE7E30133E25BC711503D,SHA256=703B59CAE941BE531C71383C4733D87CD44D6F9EF799B7F4671CC5E0518B7874,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.988{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.772{D694AEB8-0B3A-60E3-5E0B-00000000D301}60481120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B3A-60E3-5E0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0B3A-60E3-5E0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B3A-60E3-5E0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.639{D694AEB8-0B3A-60E3-5E0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.437{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726F1C6AB35F5D71C9473A6A08EF882A,SHA256=EFBE1054293FA4F989E9FD185EAB4BED5F1E778AA9F2D06C056701281F3F92BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:00.212{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54023-false10.0.1.12-8000- 354300x80000000000000001455146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.683{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:03.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946E19E4E5D0C78EDE7B21BDB78D3F22,SHA256=278AA3B09A180C22320456936E6688B34A10FCA22A2090741434C8FC33E6AC8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B3B-60E3-600B-00000000D301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B3B-60E3-600B-00000000D301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B3B-60E3-600B-00000000D301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-0B3B-60E3-600B-00000000D301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.671{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2E1879E39B24A1FFE2DA54F04A18833,SHA256=2420B6CBCB0BB3B6EC8EB6922B86BE41A56EA3609009326E106DB5981A35EDCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.487{D694AEB8-0B3B-60E3-5F0B-00000000D301}67562504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.456{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC62518E5609BFDB87B616EA662279EE,SHA256=985F1F1EA83D8BD625774073BF58D555660AA04B3855B118BAF38FBB77B7B33E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B3B-60E3-5F0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B3B-60E3-5F0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B3B-60E3-5F0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.320{D694AEB8-0B3B-60E3-5F0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:04.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E77734FA641A74062F2ADB09150164,SHA256=BE8B8FFA06780175AB7B91753A84C1511FC20A995EFECD44FF447D5364F7254E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.838{D694AEB8-0B3C-60E3-610B-00000000D301}52005424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B3C-60E3-610B-00000000D301}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0B3C-60E3-610B-00000000D301}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B3C-60E3-610B-00000000D301}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.671{D694AEB8-0B3C-60E3-610B-00000000D301}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.470{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D88389B2478BE8595F5FB1D92326221,SHA256=FC2CBDCED78BA4DB8583F19EC2E132358B6CCE691456BE411E94C740283150E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:05.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2300FC972331DEDC193001258DBADF81,SHA256=2F171F386EC04C5ED1283988366261FD0B088949786A18C3B08231457FAABE48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.418{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61039-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.418{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61039-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:05.485{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4577C632A2885D9C82D6AB87CD5F077,SHA256=996FCB7A947EE403CDCF07F8C848F446DC6DF90CFFF3519395E21F3D39513DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:05.001{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=861500B2274F989783BF3A1F1BAE3915,SHA256=9AC3B5BDE742EA84328F651C9479320A9D7F3445B604FF7F662C8EAF87E71FDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:05.524{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:884:baa:f5ff:fef0win-host-884546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000399940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:05.243{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54024-false10.0.1.12-8000- 23542300x8000000000000000399939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:06.909{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8C44E5E561ACD8FB49F76FF0595287,SHA256=E7C79B92684A58DDA0D7CC8725E5F38BB073A2AA480A013D62E1888635945997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:06.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9616447B73D708401C08E8EA6819B7DA,SHA256=BACD059AD4F94D1FB3DC99658420809855D2EEA5DD550ABB8B9863B813518702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:07.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800C7D6AFE8E8D584FD036790CC0D598,SHA256=AB65238E1D2B3AF7C95F2675E0F795E74413F6FED0ABFE50ABFAF5085CF2004E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:05.599{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:07.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DE91B1DCD08033D5058AB2746C9384,SHA256=E3B6BCA24720464F282A346E64A7ED2BEF51DAA6DB64BAFA9FA7E737B08F2261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:08.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1563CD7C9013C3E855AD3F2712B367,SHA256=5CBCA4D72826BD71F149D1967661412671F4F4030163A8532AC9FB597CCBC43A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:08.531{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFE5E57FEBE2F7CD05553194F796CEF,SHA256=BD5287384878ED006B51BD79CE529334E1F3AF00FECFDAFB960CC9566D454536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:09.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4E5EB3B5B1B2F35D7B42CBC1AA6DD5,SHA256=23FB750C73B07B09C1DB35512128CB51E5D971A04ECBF1BB21F4C744FFFF8CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:09.550{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF75DA99DC42E5D4A1189482268BF38,SHA256=007E5F1C92ABA7DF85AE62EDB5AAB7E55192D602541EB96F064BF3B261D393F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:10.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABBADD6BBD91F15D559589B59BCB9A4,SHA256=942AC8DE539DCD993C627461460EBC07FC2A0CB8BE6FBD95FF5207D17FE85DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:10.564{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9B2DFE24BDE063C7D1201F1927E92D,SHA256=76B23E7DDB6CADC492D36F73DA5BDE913F50564BE911E33CE7543984C04E42D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:11.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C67F5E9AA63D2423391D5BB10083295,SHA256=140223CA45C38C825649580E36C051E23E78B8978B18D1B04090C4B04B46AE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:11.579{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36CD3A2B0C959549F3FD37CAE6A0D5C,SHA256=FB7BF2FD957828D862317FFD760825EAAFE1F0794A93520E8AAB93D80531E7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:12.593{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FC1B897714A1C57329A975377D9EE0,SHA256=0B7607469E318FD0D6D16F31FFD027228995D5522F9397AFFC04BFEE0D08E51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:12.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59896D2BB8D070B688A88557AA0275A5,SHA256=08B1132F5B4C6FC1CB15C9839CC7332E36F26A48025B9E460CD629056EF5FF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:13.625{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FDD9D7860CFBD30592297A32FCFD4E,SHA256=478258761E3985FD47ED7A9099FBA61B98D9398937EDD4D7339109A0A0126493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:13.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B35EA5D36C6553F20F4D641BB9701E,SHA256=83C2577A2B9D8138694F7BC68CF8851AB28E0FBCF666C9BA57B12E6933B12EEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:11.227{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54025-false10.0.1.12-8000- 23542300x8000000000000000399950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:14.940{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C6C0F2FF10954542766C098426BBFE,SHA256=02C86DD634BE1F1A5D5E27CB9EADF3D78E0E7E947B2D9A436EBB6F63BF31CD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:14.659{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFDC9649C740C31298F3C60CA050395,SHA256=B8823751988F3482892AEF7F087A9BC9BB4BDDCBB66FADD756D3CBB840E441B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:11.593{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:15.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34E37333B15A86760C1785AA65D1797,SHA256=9D2456E7FCB6F37AD7B4564607B282A63A03252214545B0DA550171FC93F11B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:15.689{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AAA75073D4239864C65C8681D69D7A,SHA256=13782C51628E79F935253BDF7B6919F15F533DD721263F721D803FC1B8BF2377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:16.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62DA39C5DC01CF0E14816BDA992AE2A,SHA256=BAA0CB7449C8F4BADCF2B3971DB6CC4BB1D13769D18558BA169A21193AFF2A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:16.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323C855ABECE00667AB07B2F4654FC35,SHA256=ABA9375E67F3A36D3C3D4AEEFE3F0AFDA7D5D14EB0B5F587F95D47E43E73CC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:17.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6AD8EB2D119CA26286E5732C4F3A21,SHA256=F7FFA53EAC73910A80539A3C9034CA62210A54AF311357A4F846262CDDA454B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:17.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115E7BB6DBCE1C355E53952C4CFA49F3,SHA256=21D7A165F9DB6BD9D88EBC66E8B22BB4CEC5149C1B68DCA537FEF976C51F101D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:18.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6301BCD4D4FEC06F3C9649CE9D842D7A,SHA256=EB83CDEA17C0B2B2E8210BFEE2BE6664E99E95581BA24D9EE9CA2B9BB2E38229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:18.754{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE4336D3ADB081530877D2DEE48533A,SHA256=A4E19BABBC2D4A3CFFF93FC9F0716A8A621F702838101B1144107E1BDF923569,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:16.228{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54026-false10.0.1.12-8000- 23542300x8000000000000000399956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:19.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FEE1EAB0A161F5AB2EFC283F3CB1A0,SHA256=8547BE1241281B666380C6E4E6E41B99D1D00A742359A6E96D8CB26123D41CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:19.784{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458873E12D5C1F0B7A7ECCB51F5A89D3,SHA256=FFAD8FBB52C4CED9078FB2DFB9E55DB1BE07AE4F7A10F2FD27B7C501F6A1B358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:20.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83E85251C9261CB48301C35BC02AC9A,SHA256=C2AB044F85F759A41CAAB533FB716EE14CE81E5D999BE6B885954129CFACF4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:20.817{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5063A4AB763D61B515B53043744390,SHA256=DDA126245B39B6842B5C6A722300F17E74FF3CB78B6164A16A080EB980C8747B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:17.586{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:21.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1BFA3157B4AA96550AC615B5E53421,SHA256=E43D01BCD2F240C22B0DF5C02208E3A5A4B96CAED99D95B1A25A2611EACBF623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:21.867{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6692CB74662A4A89B381E871CE8C9BBA,SHA256=2310368D4CE63A10E09FB6BBB8BDB1B12E0F731686EA1E5D6A14643C7D8E72FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:22.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D30BF4D31E3B038637890B51A23F691,SHA256=78A72D7701AA5F0090D6C93BF3C1AAFA9E3E827C2B0774CF6C1D8AA857B4ED2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.881{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7E4370A5112D82A8FAAADBD4628AA6,SHA256=E88DAFE217C9BA882F036A5199781732C526C76BA08689B2BE725FF4E1624ECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:21.446{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54027-false10.0.1.12-8000- 23542300x8000000000000000399961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:23.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31363F6DE8B0B507A84342CCBCBF3B65,SHA256=0F1B89E67C9CC3DE43A8BD0748C85233A7072204ED72A43399EF4560EDF0FC69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:24.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38ABD895217A15445FADCC33AF70810F,SHA256=AC0D5263809A453FFD53EDFDA1D4ED5E1EBD1B047D81DE074D56CCEFE35064C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.659{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:24.233{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047169369BD6072FEBF9C28C45CF03C5,SHA256=EFD1B0DE19E2481184CC07ACFE812CBF95C827196AA5B47BAB6748101A2495BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:25.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD4D298C382E591E376997258FE820B,SHA256=E439FA87A8D859DA53EB29039028D664A00CA247781B87049FC4E4E584CF6482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:25.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905C77E5E350EEC42902E95BCBFFC485,SHA256=ABF10D81FE22466C0E4E0EDA4EA3F4037F7A37D67CE4E4EBEA78E40CE3537A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:26.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FB57F818B582F14840BDE2BF2F0424,SHA256=1057121F3126B9E60D65D9F38167656C6437D2B612D5C12787D45097BC0616E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:26.248{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC315C2C04CDC527AE38B81DBE673BEC,SHA256=ABEF78011F50196458E26CA1C2A56DA720E9697132B1266F0B087C47ECC13CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:26.377{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=902E9866D43E5B9FF877D6306B6CD9A8,SHA256=9669ABCA525AD26A39EA77715C3A375129B7AA9B5A22EBAD0CD416B71418638A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:27.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E441D5C5C81FCFA0F87032A35F63F530,SHA256=5F37268F3A2789B84675A3D4C77542BD8449B111FFFC20C0ABC3D8F220EF1840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:27.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89C3AB0F815A21B05246673B2B4D340,SHA256=673668321EE415F2529FEBF682742E4D8A85D74EA08BADE0FC5661FCF4C4919A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:28.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6000414D5BBF9143786A8000181852F,SHA256=EE23A389A507A04083B9AE90C10253624EA490822DA7D500CD44509252C7D0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:27.462{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54028-false10.0.1.12-8000- 23542300x80000000000000001455245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:28.292{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E365C44CB1787D50B61C85EA0289D01,SHA256=B441FFF6EC014934B9BC473D92F2239AD5C61DC0A3A84F858FDB671CA7944493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:29.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EC548739C5458298F1DB823A59DE1A,SHA256=B51B46289595219CC70F4829107A09300BBF3A8907EB2D8906B782B1359C76D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:29.309{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486CFE7559FAF3F998D558C1D82A2FB6,SHA256=A717E3C6A6FBE4A2DC5E6FB1D6A9100E7C3592022287C61839568B284602F46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:30.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4616E6501CF85B25DA6D050D70274D,SHA256=D59195FC4E703E1AD0B3D437BDF432596A1BDE0992CE7AB980A9B0C219765520,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:28.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:30.712{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:30.328{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8772134E91D3CD872AFA4C17588BED15,SHA256=FF50E9489EE0194B93E99C3EA8C8811C27388461245B9F055D48F1A3817E4EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:30.799{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3C5CA62C84BC81C638F90B2C44DBD4,SHA256=3E98D77023B12F199BDE50660EA6DFF4AFCC85FD231767368ED29FBF3000FCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:30.799{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A150A6690B723DDBE207227EF6DF8F89,SHA256=FC3E36BEBB3681963671C7125F9E594654CCBEB0E3CF79ED240FDC6553E8CDBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:31.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390A74FAF7DBFB203DF4B3D3A0D6FC12,SHA256=745741420D4F609CB8E3078DE0E122B063B1A93C0F83913E98166F54B15D3BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:31.359{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59CA3516A1E50774A75701BC64016B7,SHA256=FE21216AEC029C34B8C362890CBF071AC079439605D2CF81DA0B96D67002E4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:31.377{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:29.737{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53172-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000399976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:32.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854102222D856D881F818EC484A23025,SHA256=23737E19205D24A2FC38629CB062A46739FA4CEAD4EE55CE714A9488BFDAC496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:32.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D31CF9EB5B025414C4EDC42716E9F2,SHA256=02267960BF1F2276DC06AFB5A5AAB8A25705ED12545397C542DB93D4A2197940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:33.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA553990F11BD25A209495BFC40A320C,SHA256=F5F6284B6A1A8B3565A22DA4B10119D57AA3D6AB2E4B8D1BF2EBF4DF0A71BE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:33.387{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94BFFDA26F47F8F6B24A89615DEAA66,SHA256=A0093FD80DCE7AD66514CDB1E9960B0BC54537AA676C1827B8782AEC0F7761E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001455262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001455261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01559f52) 13241300x80000000000000001455260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0xaa39b7d9) 13241300x80000000000000001455259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0x0bfe1fd9) 13241300x80000000000000001455258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ab-0x6dc287d9) 13241300x80000000000000001455257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001455256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01559f52) 13241300x80000000000000001455255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0xaa39b7d9) 13241300x80000000000000001455254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0x0bfe1fd9) 13241300x80000000000000001455253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ab-0x6dc287d9) 354300x8000000000000000399977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:31.572{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54029-false10.0.1.12-8089- 354300x80000000000000001455252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:30.153{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000399993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.971{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC7E3421ED699B5A66C78E3000440C0,SHA256=65767F9168B518C61B57452E23A191B7572753012EF5D85D6E7C6A1AE3E9A71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:34.407{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55311AAC9EA8B5175E920A77B389EFAC,SHA256=6D2737BE927CC744900C560C886AB9B62F1C4149AB11B1A2D7D55F514692EDB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5A-60E3-CA0A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0B5A-60E3-CA0A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5A-60E3-CA0A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.675{7F1C7D0B-0B5A-60E3-CA0A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000399979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:33.462{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54030-false10.0.1.12-8000- 23542300x80000000000000001455264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:34.040{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BD02450180B5F8BC1F855BED1F58E93C,SHA256=136BDB6406B82642600324F52803CE9E2766BB7E4945A7DD487C4123C7DA183E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:35.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B9BEA72CAC659936BADCD1B823B894,SHA256=1BE1C3A5B0EA4992726AE8E8707C07C26F6EC4F7B9265F33AE728CC308799C2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5B-60E3-CC0A-00000000D401}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B5B-60E3-CC0A-00000000D401}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5B-60E3-CC0A-00000000D401}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.847{7F1C7D0B-0B5B-60E3-CC0A-00000000D401}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.815{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F696D3EDDA4222AABA47A0BC68085544,SHA256=F588BC98E9DCC11951487A115EE9053BB1202207AF2A596C89D1D52E25313B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.815{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3C5CA62C84BC81C638F90B2C44DBD4,SHA256=3E98D77023B12F199BDE50660EA6DFF4AFCC85FD231767368ED29FBF3000FCC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.596{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}26241440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.347{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:36.453{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2656AED3576F5D7DBA5852317BBFDB,SHA256=7CD2E242C57095239EC0AD08A100B89919BAD23EA2DCF05FAE419F8165CD369C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:36.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F696D3EDDA4222AABA47A0BC68085544,SHA256=F588BC98E9DCC11951487A115EE9053BB1202207AF2A596C89D1D52E25313B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:36.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A4013B254F06406E231E5B74DBC431,SHA256=7246ED6B13252B4B596BD98A2F51B12F5AE37DED3AB48F66F77F708092FFD207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:37.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB8055CBC17549E9077098137CF6307,SHA256=C288F4400411F9E968D74B8778562C7D15064CFC1B62C68EDC13B45F2D7B29E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:37.033{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6519B52E1487D5CEE4CBBE40C83F183,SHA256=CCA0F19F173D0A51368D5616B4050935CB7C14DA2575D9039B3EE3C89C569C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:34.685{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:38.482{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D09660EBBBDD54C7159A6B43F7C1CD8,SHA256=8D96EE2D378995D32B1E922C667C21B283E004BB2B457636E5A110134DED8E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:38.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271ABE1BC781943DDCC604591845F640,SHA256=7BDD7B296E8E636683D9E6124BDC9CF2176E19D64F843D7A910740CCB6424F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:39.500{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6197115B0254E82FEEC1145DEC8E32,SHA256=7972F41B46FF68F765AA02FD1F0CFAE7310616EC11D03A53384F8E6DE91DD0A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.987{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}82832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.816{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.345{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}20961076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.143{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFA676C2AAABEE517F76C699D588FDA,SHA256=875BE67A0FCA237B18CF1558C305BA1E02AABD15FA44C3FE273F98860BBEA8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:40.518{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54001DF63F8A078900765498740ED17,SHA256=82FA793952744D2E358D3D29287E59701EE12966753F299DD5C78FC545D988BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B60-60E3-D00A-00000000D401}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0B60-60E3-D00A-00000000D401}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B60-60E3-D00A-00000000D401}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.988{7F1C7D0B-0B60-60E3-D00A-00000000D401}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000400071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.399{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54031-false10.0.1.12-8000- 23542300x8000000000000000400070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95CBF8E4CA561825D6C5E2AA5EFEA383,SHA256=BE160B56FE0CAC899A2DF86173DB55383ED6FBDD5424EFF07223B17CA7E61412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65FAED0551FABFBEFA5DC828AC55554,SHA256=1625C647A190AA34761FC60F9CDCE268F095FD0FDEDD96B6F7585B4C4C20CBAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B60-60E3-CF0A-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B60-60E3-CF0A-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B60-60E3-CF0A-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-0B60-60E3-CF0A-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:41.533{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9F475D2BC87B7EC11C91F0BBDEA058,SHA256=0FB6A58C1BB27E9697F17F879E65F1BFF02BB2E4C46B2F2637F686F71BDEE9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:41.737{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80493CF73BBC7EA7FF5BB941E5618A4A,SHA256=74EE044A409090F9BE56A470E2F6E4D05C8E8B2AD0822D48ED2A604BD1789556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:41.502{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C78F919C669313214B676F3F5330888,SHA256=F3605D4B2B642140C7FE458BD539C69051FF24791542D1CD730BFAD11838A488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:41.190{7F1C7D0B-0B60-60E3-D00A-00000000D401}40723352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:42.548{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C43733EB8AE4B36D1DF67074275B8CA,SHA256=FDC509726D5F2524EF156375EB0CD1EC3412845D328E9DFBE1EE73DED5B1C645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:42.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA290515A3019DF35A52EFC4E73C397,SHA256=EBCA26B5A1F3821F93A58198352CE5C1077F75406769B99BBC837360069022F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:43.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6B1308E04E227969D440CDDDF54413,SHA256=C4F0992DAA113462F95492F0D665CCC978310F5D4C8A2611D92CAD0BEAC1DD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:43.563{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C559083F03ABE009A0AF1A9E3EED4B,SHA256=6705721D44F45EDF917AB42A2C3911F10F3F4E583C165D9FF83BBF6199A1C7F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:40.695{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:44.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2148AD7AD47F2274A4BAB9BD6BDFE88D,SHA256=3968EFDCB1830AB7821E297125DAE94221C39B7700EB68016946BE07EC859CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:44.577{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE751A5B11B9A267131ABFA1C4EF660,SHA256=5EDECADCDA57CA5DA9EC25C619A06AF02929F032D5F0B6994413EB375A320B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:45.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05ACBEA11D4A894063D38F70D994DF4D,SHA256=3D31C4BDF1A1650407D6E28077290BED4FB21A1AE5F923D6FCB407FF1DE8A8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:45.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C825C0CB9C0E7880AE2605B32521F7,SHA256=829A469A7B49E56D49C29BF6D4AF8D70AC675AE3CE3B53407D5E307C36B12B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:46.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473D7E682D04A01CD0A65851C2FFC100,SHA256=A1038CC7D6DB11B89931BC3223B905C75E723E1021F6C7932A98A92EB0043B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:46.612{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752E02B6C52B55A4369FCB8FE357F1E5,SHA256=3B1DEEED8E3681B5A095E65112676B3FA80AD9EB45078696138412D1651BFC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:44.415{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54032-false10.0.1.12-8000- 23542300x8000000000000000400094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:47.909{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690938DB8A0D317E8F3A4177A89A53A6,SHA256=E59FB4104EB6A2D4E4588053888B180D00F64029726A85167305FF05D9DAFBD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:47.658{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2486347D25B38FC07CE2CD51D3C86BAC,SHA256=6951390AC73E95F83175D0348FA92AC08985182B98FECF5A29BCE30F072EDD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:48.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A91481AF662C91D0A4202EEEC08209,SHA256=12DE7C4CAC58F6060816BA23CA4ADE9DBB0313141976FF7FBA611130A037D58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:48.695{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB727913807B2EB24F2290993DE92778,SHA256=F7BD2CB563EA13817C2A4D7B83EF7661E6A06BF7848B033A9541554185F8FE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:49.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD09C83DD38BCF308471271C82E31F4,SHA256=6728C8A74F1539543E9E04044B93A0D08F2B09C92AC8C84D2660C11BDC7A9937,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:46.674{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:50.724{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64152D421DB90288F6274D11FC7398B1,SHA256=C3F38DDF7EA9F93704BEB89C2C63634182105D21714E92E954F4D4649E6D4741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:50.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D89DAA2C06EB67DC8FCB2AE5205D33A,SHA256=39C3E83D457ABE7E60727B1A68AE47A76A7D349DE1D45B4A4815F3E56D858A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:51.739{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E2E352E84204FBBC65BF2CC963A4DA,SHA256=DE73B9860443924193269E188279434807D923FDFEE13519F1B4321E9BB98C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:51.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C2B73678DD48620B9C1DF66D0F22BD,SHA256=E3911966F1880FCDCB73EE9ED32C6BE31343279CD0C77573BA18990CE586EDD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:52.769{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8500A66DCE3925C47A306B7F8DA73A3F,SHA256=ACA4805AA5BB021808F42742C0B74732114689B5358A05874648642DF83AC5E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:50.416{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54033-false10.0.1.12-8000- 23542300x8000000000000000400098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:52.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C418368C44D107F6B93CE43E772A7ECF,SHA256=8D3B05C20C69EE833593B9973039716A1F6207477163664BA47378D0BD9C11FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:53.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8655F10DA84BACC95E134C865725C0DC,SHA256=6A1D43B8C2CC6826C69E3BA42847957B11953393ADB62AC86224E679CE96F452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:53.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCF7A32A4462EE8E9503ECA9A640C7E,SHA256=598EEEC47FFCCF770D283DC30C7BF935719DA1309DFC57D50769441DC2DDEFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:54.804{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243E218B09BBBE9C0FF2A8190FFC3AA2,SHA256=8B73E8B6A326E6311129F0E1172CD3F8F6A1136F95BCF9192E1DE561EB8BBDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:54.003{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21277029DDF07CEC0AD113CD6DDBD282,SHA256=92B5D68422EE9C2852E11A7E360BB7CC1F400CE3054AC860B54844574F4F84A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:52.684{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:55.834{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC46429EEF9EBB18946831C02EF6F49,SHA256=82E231D50880EEA62960964B254A277B3FBBF701D157C357889037F0C619A00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:55.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E69A61B930EB433608FFBC97013752B,SHA256=F4F714B475C12F1EE8104D2ADCFD8E10D2E4824B044FAE4C608EC08C0FC59529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:56.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0C8FC3CCBC8866D4F918359EFE6F67,SHA256=F62844E44C5939711B30E264BD9414C3998F22C738588A5F4F12905B81605364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:56.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C63F3832896AE2DD0E4705C0D7EB53,SHA256=AE91A3009BECFFE39F713C8930A6EFCDA6E8B7831A82DC3950A2F7AEDD4E3855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:57.881{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A273D555348EA0A7AA696E9609F9C8BC,SHA256=13ADC1573447C767A0E7470A07E4561A5ABE50F0CADF96B3502F2D2D5B65F527,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:56.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54034-false10.0.1.12-8000- 23542300x8000000000000000400104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:57.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0CECA7467C7CA5C1CF952F3C18C330,SHA256=C2E0B6E7F404043528E0D7738ACDC2754470F3FAAA8B78D2CAF1075A69FE694F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4917371E8B52F9D38C96C9BC2D34F397,SHA256=53D28CCAEA850C9470D7C6ED1455F4DEDB89AE21C056EDC20F1985DF88FF37D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:58.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248334F2E36EA590D8B438FC7275050,SHA256=4C76C1871EC56613B79D3F77065A96E1B393BD12ABC3BC0CABB687D4EB0DE00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB80438CE07553481C1FDCE612A2551,SHA256=022C703102B3FE180CB5B87998FD9E17539E32744FC3C2C9700749310F648692,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B73-60E3-630B-00000000D301}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0B73-60E3-630B-00000000D301}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B73-60E3-630B-00000000D301}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.515{D694AEB8-0B73-60E3-630B-00000000D301}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B73-60E3-620B-00000000D301}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0B73-60E3-620B-00000000D301}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B73-60E3-620B-00000000D301}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.000{D694AEB8-0B73-60E3-620B-00000000D301}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:59.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7571AF6F7003D21494174ACD95A6311B,SHA256=0C89ADC6B283249990A5D0D30E51F2885DD3FC43444945A8C44A759D1A7BC676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B596DF3B47AE39F8EEE3768DEC3C82C4,SHA256=D919FAAEB4B2F1BB588CA7264B607ACBB9EC00AC8F1F75BEF86EE1D87D9C613E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.677{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001455321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.345{D694AEB8-0B74-60E3-640B-00000000D301}62404496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.183{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B74-60E3-640B-00000000D301}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.181{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B74-60E3-640B-00000000D301}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.181{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B74-60E3-640B-00000000D301}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.180{D694AEB8-0B74-60E3-640B-00000000D301}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.030{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF6E714044225D4E753C5A8F5AC583CE,SHA256=FFAAC59756CC8EEC3627051D5D5FC65DCFA87818D807CA7635A4A80680D2F5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.030{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73783C3B65B6CAB0584DCAA6A8FF2A1C,SHA256=FD0F021725182956D6E604716D4737ABAB420E8579FEE147D369B4E33D19B65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:00.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BF87BFAE3F73D2348A5489C8958A34,SHA256=B3B6CC018DACFBCDEB0441A931D2D11B6B44845FE9EF3A596B77E1475F6884AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:01.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5CC9F7915AF04239E3BE85ACD288DB,SHA256=A3116591B8DF3190A44E07D897706EBCBA5146F70A6352736BBC9F18D6B6E469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:01.198{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF6E714044225D4E753C5A8F5AC583CE,SHA256=FFAAC59756CC8EEC3627051D5D5FC65DCFA87818D807CA7635A4A80680D2F5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:01.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D1AE45D66704EC40A3DC4B2BB4BD8E,SHA256=C884AC81D5795847F484BA5887B8D24121E24C7C7BCE3B633BAB632AF7BCA1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:02.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A225E35EA0833790B85F66936B080A4,SHA256=4D4BC4E61F01EE415DF8566E143F8CAFF16C94C8D341FFEDCB50F83F16BD4D2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.828{D694AEB8-0B76-60E3-650B-00000000D301}69283148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B76-60E3-650B-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0B76-60E3-650B-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B76-60E3-650B-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.660{D694AEB8-0B76-60E3-650B-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:03.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAA212216456E65F79B3187B8EE9DCA,SHA256=7EDA5B624D957F548F002CB232EC750646951A2210F326BC48AB337F85E04E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.677{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=486E338CE0E7E0BA87983FA3D8558F25,SHA256=E2086FA4224CB98F123E33A131A622E77971CD621482A0038F756C40528F2EED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.459{D694AEB8-0B77-60E3-660B-00000000D301}64165704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B77-60E3-660B-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B77-60E3-660B-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B77-60E3-660B-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.328{D694AEB8-0B77-60E3-660B-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.996{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FAA144879E0896FA85F649699133A5,SHA256=173C4981688E45181F087710BD0E5FD083A21FDEE6BC28DF5F3D0853C1A802C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:04.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E575521836F8C5A6BF34CFB1B21A3F2D,SHA256=AE0241602998985C87790A4CAB3EB8A8489569600C5ECAB23DDDC691C05CE9C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.678{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B78-60E3-680B-00000000D301}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0B78-60E3-680B-00000000D301}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.675{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B78-60E3-680B-00000000D301}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.674{D694AEB8-0B78-60E3-680B-00000000D301}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.143{D694AEB8-0B77-60E3-670B-00000000D301}52646660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E86D8BA0BC5E1672A2D43005BBDA6A5,SHA256=3E3D5A37CF74CC8B579DB1560191AB33EFF02B639C968325AED53ABF389951D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:02.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54035-false10.0.1.12-8000- 10341000x80000000000000001455353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B77-60E3-670B-00000000D301}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0B77-60E3-670B-00000000D301}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B77-60E3-670B-00000000D301}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-0B77-60E3-670B-00000000D301}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:05.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521755D67662440145E9AEC339AACA4B,SHA256=6E74C298330DB76F644275FD1A1C9C82D2529A8F7CCEE2ABF93678FFB8F9D037,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.421{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61051-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.421{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61051-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:05.027{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B2BABBDBD31B7B1E61895131F74852,SHA256=EE447326C5A207D06F4D9E1DCD84BC2109442DBD9A7E2220966FF2D45B2BB8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:05.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A509638B3D25AEEC98AA041647A160DB,SHA256=E5D662674E19201EF304BE4FD280BEB2F7AE9018A10297179ED7481471990825,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:06.041{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC4083D79940C2EFCDC8D2C024FD234,SHA256=5308C990C9D1AADF99044795CE61227F913353386E55DB3780B8BF85B1CFD29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:06.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B62A7DF0625EE880125E25EC478966,SHA256=DDB1AA67F64C31CA7E93D113D86407F69C7244B99E52F644A9C0D8111EF05F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:07.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C493A966C62C106FC94DC2A04D527FB4,SHA256=A91600DE05850FBA018664717B2B6F87C3233AC480AADB0A85D9BFEF1A70CA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:07.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE684CFE0B2A02ED06AC1FE92856D8C,SHA256=F4D9165C5A8C8F6297C1527B9C1DE92FB4B5F28D0366B7BC3420DF2359D8EB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:08.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308393E9E490A40F9D6F37A29651C124,SHA256=A1058AAACD204ECB83CFCCA3CE2F03FA6D719FD587BF1B8D0F286CF431DE38E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:08.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106226BC5324880CF4113E8DF76D7B42,SHA256=7EBA8031F0A98DA9A99118CBEF86857283FE04A9C151C4C02EE475D402AF500F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:09.068{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45431922AA88D00841FEE8A08F1069BB,SHA256=6C98D6A371B0EB209D808108AF4FBDD5D0F5A8DF4135A1D4D1DC53DC6E0B68EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:09.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309A70CDB98D4916115CDEEB63DF6AEF,SHA256=31735085F5892B03EDD77DB6997DEAD0812283F383300B67BADFA0B1C00EFD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:10.085{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDAFF2BED888ECE6EB34895D16EB0CC,SHA256=CF79BA249F32865F69EB02FFE832730140192C6DBD68D9AAEB94742D304A9CA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:08.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54036-false10.0.1.12-8000- 23542300x8000000000000000400119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:10.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7406D6D0F78EA17B3D191DD473BAD943,SHA256=EBCEA95FFF459468EA1AC334981949A335F195BDA3566062DB5E31BA401DE077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:11.104{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D821009726965B053795B4F083F138,SHA256=52F5F74C4A6BF926AB08440C7427DDE068FC36DC1D97F5DB8A3635E0C26F2FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:11.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8799015C8489E790A30A1D18B80FBE,SHA256=77BFDD219204F83E2BA90BD5D8A5ED4A0F33F73307B79374526ED25F08FDE360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:12.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60B37F1504B0757B30DEFC4B24F875D,SHA256=5EFC034D4AA0D11B8C21A7D6395A8EF2DB79EBB7FA659329931A3943FF421520,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:10.666{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:12.134{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7B372CD55A95AF73EB95DA57C01095,SHA256=83A6D4C6744121132EE0F7A432DA4F6B574B3BBF8288C20C538460A0153A2E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:13.163{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D00F94507D302AADA69106EB9169EF5,SHA256=EAE5A841AB745179CE22B93EB9AD0D3731F53BCDE84E5FF9002BDD5B45590230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:13.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53BA67BB223CB64780DBABC9F833EB5,SHA256=27A3E80FC693CE25385A00F1B0B13F09DAFB376C8C70D81616330D6019FBF98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:14.181{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DD7786F874051E4065F2077168B391,SHA256=DA72DE53E418D4DBD6F15903AEC67778368EC2C919980AB792A877B843B5E759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:14.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4237D3B3D751537A6CCDD4FE3F8E82,SHA256=72438A7B8767A54F96E3FF7FB82E0D10D5D268C87357F8FF3D6EB08F2B40766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:15.199{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDFD2160AA927D5FA99FE2ADBC7C99A,SHA256=6733A7D970A6160B950DCAB595AD0A5D4B045B7AC2C5CD840925F3669C6365A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:15.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559FBF2F4EF93A73D0D6E3944102FC11,SHA256=FF846F954DFC2F874E5A70A584EDC70F8C756E19BD1C0C99AA1637F52A5D6D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:16.229{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543C23949D875790FB76B76255D33AB,SHA256=DC676B1309866E4BD7A423498237C3484049ABB9CE2C59D698FA23148A038B00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:14.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54037-false10.0.1.12-8000- 23542300x8000000000000000400126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:16.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75FD9FEA2F4B1B452E26BE479EBEC0D,SHA256=2F0C7B4A0B60B564E3BFC2D5744BA067AB08813239BF32288DC0FD2E5BD90997,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:15.675{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:17.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91A47A126AD0518690973FFD035082C,SHA256=F778DFBFDCBC513E0FA4D8EF76A37A47C5890B588AAA56ED6C5D131321935354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:17.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60BE0D9B50ED90F63CB4D8F82F1F1D3,SHA256=810C53ACE9E735BD726F1E964685F35F802574ADF01F363E782487749C0DC28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:18.258{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAB0D9ABB2E31E102D36FDC680135BF,SHA256=C11E8B304E004584CED9E14B78AA49C3FAAD3645215E4A84C7C0F9A7172838C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:18.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5B429B4BF54C5716E36FDA05E867E1,SHA256=8A8F4E3439258ED9071711D7BB5903DC8CD3EDAC512D6F22EC02DF8FF9E26B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:19.276{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425DBF08ED9A943FD77765FA14118227,SHA256=2F900931CD79046E37269E5A2A2BA9028A028A710A61169D42C704078F25803B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:19.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DF5717E80785EE1DCBEA3B3A164CFA,SHA256=B4BD774F016AEAB0EE959830A6F1E16B03C7556F431E852D12041C0739C931A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:20.293{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B3CA94C78C82D265A0D2B4B0A62C5D,SHA256=9AD6624607E13749F37397C989C2AA9AB361B37769F406496B57701B79BCEE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:20.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804A2510322934F3CDD91B8D6535B3D8,SHA256=B1473B3F3E2DA2068959C85AEBC724C9F5D57B3ED12CA1238CEB26FF024E7437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:21.323{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1815A2C16BAF07180C6ED6CCB60E3458,SHA256=D0037BF97E2B6B4C58E403D7C6544D280C3220CDDC947904A275B4C86D639AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:20.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54038-false10.0.1.12-8000- 23542300x8000000000000000400132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:21.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2F9DC38C2BED970E5208E55EB8AC0F,SHA256=E5968ED8DAB46785476FF65727A54A6F7DE4A078B45F33C05557BA6E57DA4302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:22.353{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD6F4127C3FB4C33AC7333C6D6F779C,SHA256=194011C0E58F4E2CD70EF31E863FC7D93894DAD856FBDC64713039E8282A8BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:22.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0FE96CBC14F7EA4D3BB3F159069B1B,SHA256=B3AA2D67E671EB1DAC17C02937CBED4BF2CABA3594E66D0F12CDD37816B4EFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:23.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1A855BCE176D7380419F7E9990F608,SHA256=DE3270902DAF788144ABB197F74573B8E10A1D8A5223367E7BABC9C3F240BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:23.370{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67FDEC0B482BAE7D042C0408DA14BF9,SHA256=390F56D10FA4B807B255D32C20196CB0F0480BAD936343515BC461F083B66B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:24.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E2BFB3FF40E360838E4D22133784FB,SHA256=4ACB4AE09869772FE1F92313A9222D28F677BD00925D1418667277CA9BC8066D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:24.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97848C3BD435510C775100F765CE7E4,SHA256=9C7ED8BDA68F3AC5BB276824F348F76EC7C8818506B9978AE528BD463B3A4BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:21.637{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:25.418{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235F155690888CE21C61993EA7B02A6E,SHA256=9351EBEDA6FE6D45F3C4DFA7B743F856EE9B175AD46670EB773DFE4056ADB608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:25.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27926605AB625D1D3E7F76E3E1FCF988,SHA256=A14D6C58F4DEDBF2F85D1A349E3D05D6299950F1A173D5FEAA104A7860E57B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:26.448{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366D60E7652ABA8194341A3181322F87,SHA256=93B80DA3E8BC8E6F0794CA106928B737F9A44F467118300EA4B2D9C6A07BB93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:26.377{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2C4C5B18C005D59584FB2E13988B46F9,SHA256=A1849A9617038EEF9E5866D6539953324321721C723164CBAFAE58935CCDEA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:26.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C67D1E6F1A8CA8BC18CDAD6140BF419,SHA256=79A510260431F0E5A56439B442C64DFAD9C29BFF4C2E8312536A1233BB8C6D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:27.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC367DDB7B9AA931712EAC23B91F6741,SHA256=35786DF85633A7A7879DAB8800D6BC132917CE1094EE54E4C341E87159039D6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:27.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D527CB6A6F1A10A313CA9A5C9424A293,SHA256=DC54ADE4593D47E73155E1BE9AFBAF5276EEB466559EB2605D79056D49EC947F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:28.484{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6745365CC866F6E74393ED06C5558F9F,SHA256=9E58D2E6B42330562FCCE4E50FC5BAA985F2902965065F2CF98361628CED6C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:28.440{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8187819DA526A760C132205E8C3AA130,SHA256=BC2280F90AFE6FC120CF79117A6DDC3C4FA60C3091CB312E7553E3F797582E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:28.440{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5AC05053FFDCA81B98CE269433E67AF,SHA256=F6504BB2A0973786CCFA375D0527359DB70E3C1ADC005663477C493D314302F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:26.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54039-false10.0.1.12-8000- 23542300x8000000000000000400141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:28.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D6E476DDE80DE4EFE8D7F29CAD236B,SHA256=969DE065BCC846A357C25D33A435817E758B0A830AE7406D261B49535178B258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:29.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BB2EF1C6401AFD9E7C51E39E137F62,SHA256=34E754E4291C3959E9E431B9F2CBDDE55FB8D6F864CB535710C826BB4FBB393C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:27.428{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-40301-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000400145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:29.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D3453C0AF5CD7135D785617FAD3837,SHA256=41580B9F001448E6E0338AD8D0DD21222316D84E2C1F7EFE37C6A87B294957F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:26.648{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:30.729{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:30.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAD7E7A1F5F9F37420CAC3FCD24054D,SHA256=A9DF1250D5C07DB5260FD13BB0F8EC5B002F0C4C486DCCF440BAE733BEC85739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:29.109{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-52670-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000400148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:30.174{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8187819DA526A760C132205E8C3AA130,SHA256=BC2280F90AFE6FC120CF79117A6DDC3C4FA60C3091CB312E7553E3F797582E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:30.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E06E287D6EB40AF396ABE8611E781F,SHA256=D83997EA648B6EBE76992F01C30B20901C94F5D3EEE43605FC88A4F314FC6F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:31.543{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81817A7BC30336FDBB8E33F3942D4B40,SHA256=D4B4D16F9E0760C71F6FF23D6EC0E026255ADAB7FDB9FE78A9A1717995371A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:31.393{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:31.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBE2F795F4F4C8F8B8BBA14D15E3296,SHA256=9508951ED843DAE2A5C1D06AE8813F1C86A365F81A52233AE2996D3A77F2DEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:32.563{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C22FF5A349A2D4870B1512AD5482C8E,SHA256=4789BC647EE391C32CE23A2F8727024A22D5668401E00FD8EC5DB8BF3BCE0767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:32.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28372DC9C92D7E09DC1CAC866DA94DBF,SHA256=786F5FA8AB5C0D47ECECCB8F3134555D87270BECC1865BFB837ED20A24369609,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:30.160{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:33.579{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63CAB87907D69ADE1308BB890CE2FC5,SHA256=447FCBB40465D4032D5B6120C4C5CEABA3451DD1E62D11D2167085A7D6F60D95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:32.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54041-false10.0.1.12-8000- 354300x8000000000000000400154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:31.588{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54040-false10.0.1.12-8089- 23542300x8000000000000000400153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:33.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4EC932CF752CE82A20AC74AC39FADC,SHA256=59E585F4F64F40C84EFB6125731FE39F364E964FC1491367F60B3657C6E4A229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:34.593{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49FE73E36275CD2F5D7DD6173F99936,SHA256=1D98BDA8ABC9736751761CBCA115050390E195D119DF5B964E3B72553893194D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.909{7F1C7D0B-0B96-60E3-D10A-00000000D401}8242692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B96-60E3-D10A-00000000D401}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B96-60E3-D10A-00000000D401}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B96-60E3-D10A-00000000D401}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.675{7F1C7D0B-0B96-60E3-D10A-00000000D401}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.065{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44EEB12EED194D3804F53FC64C3815E,SHA256=064A044A7EF6101A3D3B5B2A4DB68545CA0CF0E8E9BE4B9A3A0B843518E8C7F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:34.041{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F0AD75086C90AF9BD6C265DA7DA54681,SHA256=744B5F36CCB794B22982F8CE0326AFDAD704F71A961190FC24231302639718E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:35.608{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92D0A25CD8FDEA2BE5E45064992B657,SHA256=C35A29DF895027E0BD21D83559FABC926A416CEFEE293C4AD3E24B941BE0B9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9A68BFD843A3CEE44F10E2C3C5B1829,SHA256=5765C954E10502E7E122DC0D03CB89C3F23AB7A3DC166D036C5498B672FAC179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B97-60E3-D30A-00000000D401}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439D4BB7F799DEB5CED12403A27D08D9,SHA256=AEA35FD8528A7C2C9AF04D109E5D7CD1D25CF5660D1E6DAF1B9D02566CB39294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0B97-60E3-D30A-00000000D401}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B97-60E3-D30A-00000000D401}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.675{7F1C7D0B-0B97-60E3-D30A-00000000D401}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B97-60E3-D20A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0B97-60E3-D20A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B97-60E3-D20A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.175{7F1C7D0B-0B97-60E3-D20A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.065{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9E7D305A729CDEE445E5B6DFF35C3C,SHA256=31ECCEE03AD53251CC593BEE4218053E2CCA09806AD484F3697639FF37E1FDC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:32.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:36.657{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B93AE8A2D8B6983937A0FEADB6737A,SHA256=6354D8B05DE927ABD613F01E73C68D833AA893416DF391DE97BFBAFF13624A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:36.690{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9A68BFD843A3CEE44F10E2C3C5B1829,SHA256=5765C954E10502E7E122DC0D03CB89C3F23AB7A3DC166D036C5498B672FAC179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:36.174{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE615865DE040D1D950D2E792B02BB46,SHA256=71B7B61F630DC26D0636A7F04259E49EEE6F215C71C5AA98DC2E7DBC0D5334D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:37.674{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE70E4AB6177B344129896A086AE4CA0,SHA256=C9A1D55C7CE2B6B529018FE7D4E98EE5A5755E37D6AB2AE1CDBA02549D17BBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:37.409{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C100DF3B4972EED09CD9B7ACCD7437,SHA256=95E1E7C1961091479DAE09CD00F4220F3694AE0AF4E7D3A3E72ECEBAAD47CA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:38.720{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E776FFACFB0265B819D215A07D2A13,SHA256=6589E0B612455088E30CF6398E8B24C628558A37FB61EAE3F5C3248A4438B7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:38.409{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBF231A4BBFD58EA200BA0E6737A5B8,SHA256=968DD76DC56CF4BDC150A75186601D7BFA828E480C29AE82AAF75D95FD724135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:39.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378C8068FFC61D45546147756A69BBB3,SHA256=9537F25B9893D49860C7165DAD8686DDBA8EE17291750C88C70253E94E882F66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.814{7F1C7D0B-0B9B-60E3-D50A-00000000D401}8122700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000400232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:38.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54042-false10.0.1.12-8000- 10341000x8000000000000000400231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B9B-60E3-D50A-00000000D401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0B9B-60E3-D50A-00000000D401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B9B-60E3-D50A-00000000D401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.659{7F1C7D0B-0B9B-60E3-D50A-00000000D401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.458{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691F281CE5E04C8809C66BEF218753AC,SHA256=A42FF26E4E2D987AE8C07C30092409C921C1D74FAA6911B4282FA719DEDAC34E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.380{7F1C7D0B-0B9B-60E3-D40A-00000000D401}31561452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B9B-60E3-D40A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B9B-60E3-D40A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B9B-60E3-D40A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.162{7F1C7D0B-0B9B-60E3-D40A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:40.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0265E4DC41BA727049444A4D4DD853F8,SHA256=147414538F7C0112D12609AC1E1B738C68ABF87358F73552A22E36C903FB5240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B9C-60E3-D70A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B9C-60E3-D70A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B9C-60E3-D70A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.989{7F1C7D0B-0B9C-60E3-D70A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.800{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D8FECEBA02E8A3BA0ABED0C2DC2880,SHA256=8D676C66FC7A8CF1F3409815F92B398E51DA5D55590EB376F434D132A00B88BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.585{7F1C7D0B-0B9C-60E3-D60A-00000000D401}15362704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001455411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:38.634{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000400247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B9C-60E3-D60A-00000000D401}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B9C-60E3-D60A-00000000D401}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B9C-60E3-D60A-00000000D401}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.315{7F1C7D0B-0B9C-60E3-D60A-00000000D401}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.220{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F73A603EB4F387D92F3F2099558D3F9B,SHA256=8A7DC8130834B8F2B3754D8C87A393DD18207B56EC0F57D66BBE18DDFC261BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:41.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D27351D85AE60EAE4070A3A3ED212B0,SHA256=07F9FED482BF44EEC884DAC6DF7E79FB3168286495B8D470FC4DD107F5BF621B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:41.644{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83C2FC592F6C4D2E2BEE2EE6D16F5F2,SHA256=91E363FD2F3C71D3B5DDCF79152BBC750F02E93F6DE7984BB2521505BE997918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:41.394{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4406419E43B553D53AE4B4C2D17757DB,SHA256=98DDCB1021781AAB8EC8AB989F68B7D59B06CA08FEEEBCD5467DF5EDE6CF8C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:42.644{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990C2625C29F7AB0D3EAA92147614926,SHA256=7A70593D2C479106A7CD7714D25349BD88F4AA1BA629019A93FE51B0980540EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:42.771{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368E93AF2DC762AEEBFC7D8815EE78FA,SHA256=30F5D887CEAEA39E1690D09DFD5B6A9EA6E92C2ACB0D25C4D12879DDB42DA075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:43.722{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A4636AFEDCB86D32E7337283612BC7,SHA256=638A66E4DC8BAB006E2A8946AE39CE8CF8A3F809751012FE770A4B83F5033538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:43.802{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE95ECE80EE774270C2181517324BEF,SHA256=86839E68A5B185B44198FE978012C98CC27C2195AB0F65A3086A7004DAAAA1A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:44.816{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61D248C087DF807C1C9BFE42ED087B8,SHA256=63D3EC3A2AC8B4F185F2FB761A97816B7EEBC922AFF287EB8A16989D5CB7D834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:44.722{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540584C453F890D82409A8A1FCA7CCAD,SHA256=F75E9AD55695E6D75B5C830609D1FC08A2DB91066FB2E5BAC4D5D8D64453F0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:45.831{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32719921130CFD69D20BB715D3141A68,SHA256=0375629FB1B44E8D252AFA84C136F0B64A3FFEEF584F1C32F42A15AB7F55643A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:45.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5381EF69405D6C8FE77E7DF5AB9A3314,SHA256=6C16E26AB7F646CF4F0BD2C8B74CA2911ABC0936331E80EC67F1B76EC259E380,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:43.402{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54043-false10.0.1.12-8000- 23542300x8000000000000000400270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:46.925{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF551737D84AD40BDC6FE442721D82F,SHA256=DCF871AFA34CB4696A5E8F4A5092FBE2408E7423CA733388E3F7D431BEF6CFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:46.851{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CDEA690AE1B2CD4CE4AA96FFD737A3,SHA256=EC2720A0B20C0E2BE1BFA7712CB14E0694430B1AC4737F9F7638E0934EB9958A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:44.631{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:47.866{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3652D1FBB0E02FFD4BB4FA11F07DA1C1,SHA256=339797439F9BAA8F347AD474C71AE0B35F1BE227EB3AB80E3CEA6B4671E4B0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:48.896{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F341003F22E76E8FAF13586EBDC2E935,SHA256=669E19D7E30F1503B11B28BF4AC9795CC4F618524B1BF3FD625305D12C38F007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:48.082{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D270A94494D708F8254426911812436,SHA256=A91F7DE09DBC7E92699803A9B6627765CA42C8AD09F7140A6E88B751E7DB8493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:49.926{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECCCC76F257D4EF3813D0E3FD4017B5,SHA256=DE1EEB350FB888CD29009E8B159BF6EACEADF3FF5E07813CAD879D268C45062C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:49.082{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2664BFD871F685D4ED4301038D5A2247,SHA256=0800D382ADD331B4FD5D29F5CE4062A8398896598C56DAFEE798863D5FB31C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:50.944{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C11A63E269AB245805334804AD0DDB5,SHA256=71C6408BE1C0E6194560644BBB77225C0A6088C69758997EED8E7704B063A9BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:48.402{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54044-false10.0.1.12-8000- 23542300x8000000000000000400273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:50.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996EEC530032BBC43708B4C6586AB6DE,SHA256=90532FBD3F93F9DB903AE1C5325F9347788AA4629229B449EBC711C3BE7A89D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:51.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8B3FC81B568D7BEEDEABE39021F07B,SHA256=B3B26FFAA9031C54BCA7A289D4760D95211FC25936516B8DEFE7E2EAECFD214B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:51.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44773D98E8C398A65298C6314B130FBD,SHA256=73C142A73C8A561744A39ECEBCE9A31A5B46E76FEC048B7197185A12E6AC278E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:52.976{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A326AED2433AD53A870F2B6F1855B1,SHA256=DED321DE8CF5FCF1289DBEDC5B5BD6C416F45D27FE882951EF2259CF4D90BA8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:50.656{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:52.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD52EB0BAEC0201E91742DACF92E154,SHA256=7D7861F6E09CA6AE5FEB5ED909E0468FC0318D5951FBF7854FECC70CB0C078A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:53.992{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929F31F58621180133C74C0ED870BF21,SHA256=A1105340604BFE1B36E073D7929F797B7BCED00ACA0AA3F70D65D6F6703217BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:53.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA806D80F3604DE928592932086981C,SHA256=3E90617DBBB889662F9D70E1A92E4922471EA38E7814B8FF2C1C219BF07160C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:54.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F747A8FCE6951ACBF997A65AF38FBD57,SHA256=076A9AFF9A40A7811D4A6A50376FA801AC30DF948F92D2D357E60E98F6000548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:55.006{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD7C95553B3338D550762A9F063B0D6,SHA256=091F586376360719639EB339AFDB5A16F67AEEBCF1A77566B415419845480305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:55.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B611F47D0460C86A60E9C21E19270DD,SHA256=5E1ED1B748DFDF7744F64EDD1F124D88CFF5C429E6DF106F33A22B2C0DF5093A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:56.038{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFE7F4B8BDD48C8C62D3B07EA6BBF30,SHA256=A81EA59822F2DC7385C140C4A22A2588EA0DD5E19BF4AA35DED263A205BD6296,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:54.418{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54045-false10.0.1.12-8000- 23542300x8000000000000000400280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:56.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0326B55C79017AE7C380A15B200D87F9,SHA256=D5406C09356AFC6D40634CADFBA9D1FAA3C2062CF304C40668B086692AC8C240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:57.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689D8FC773325D81075EE214BE8FB58C,SHA256=D710A524E1DB0B58D4E07E20BCF01161537DB7D565E96419CB0A5F41A39006B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:57.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEA622D9BF6272C5C9DCF0E84C45141,SHA256=D5008CF510063B3C4720C57E0AF7635E89B66E1D05E01D470C67796CAA4B6C23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:56.650{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:58.087{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A790E753422D6AB03CE2AE70D83E8B2,SHA256=CB8D48E9BA7AF27B979A00D1849DA82C46B427CD6661C0F3AE5A4232E5E079A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:58.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724939E0877688065DA6850CAFCC0690,SHA256=3A09A6AF19702A100FE5FB5EEEB45A57552D37AF3AE909C865E074FA9CD9CC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.854{D694AEB8-0BAF-60E3-6A0B-00000000D301}33365432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BAF-60E3-6A0B-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0BAF-60E3-6A0B-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BAF-60E3-6A0B-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.702{D694AEB8-0BAF-60E3-6A0B-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.117{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161170FF21EB4E0C559BE33E209A747B,SHA256=B84950E2D4F3D1F6697E5C404625D1E98A50C537D7A1E39F3A0C9F08EAFE96C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:59.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A8EC25DB52E2CB0EEA9548AEF9C1DB,SHA256=3CC9B24F609E9B9BC8C642676D032BB16D1F8F777630FDE1BE358B46650496B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BAF-60E3-690B-00000000D301}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BAF-60E3-690B-00000000D301}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BAF-60E3-690B-00000000D301}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.018{D694AEB8-0BAF-60E3-690B-00000000D301}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB0-60E3-6B0B-00000000D301}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB0-60E3-6B0B-00000000D301}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB0-60E3-6B0B-00000000D301}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.317{D694AEB8-0BB0-60E3-6B0B-00000000D301}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.185{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3070201650B264CA05D66B60DC250981,SHA256=309C6C81D1DB0DDBAF953ECFA5AC03405F11D31A3DF64E53C2FF55AB5A0C8556,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:59.449{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54046-false10.0.1.12-8000- 23542300x8000000000000000400285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:00.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7403E0636843516F5E9E7E89202A17,SHA256=8F5DAE0BC03A9A5749038A022326684663DC3F0E5E210F68B80F58C42B9A11BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.116{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9B737EDA71035CE1943E1299D3B975,SHA256=9D7149FB148AC5D3CB9A7BA302537FC2AAE6EC63B55C8404EC84CC291E25E785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.116{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB84C1E193E5FCC4708DC65569E6FAC9,SHA256=5F13050EA779B2EB8DE9DF9B4581C950B5604E3E5D23CB2FE4BD956C32F25A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:01.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37626E4051B67DB5C21832350C490D6,SHA256=477647C45012AC04EF0E7DC52056C4DE5311ACAB70BAD059A1FCC3C8A23375F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:01.352{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9B737EDA71035CE1943E1299D3B975,SHA256=9D7149FB148AC5D3CB9A7BA302537FC2AAE6EC63B55C8404EC84CC291E25E785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:01.215{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B04858B632DF2EBB4D701F5F2EAD5A2,SHA256=B14798EE88F36A88ACFE8F429BCCCF6C14534AC31126216197F3B8A5DDFA1925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.683{D694AEB8-0BB2-60E3-6C0B-00000000D301}46324596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.535{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB2-60E3-6C0B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.532{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.532{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB2-60E3-6C0B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.532{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB2-60E3-6C0B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.531{D694AEB8-0BB2-60E3-6C0B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C9E8E6B369FD261B3B9C42D2C9062D,SHA256=05AE3715602A0E77D0CF12091CB128C331A4AF77751022A1E950757004240449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:02.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DB41679669E27FCDE0B1FC4D02E22F,SHA256=D4E6B35F18C6577CA3CD29DBC9CE84BF663F60DBFF1770F820B851C5ED2E8E4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB3-60E3-6E0B-00000000D301}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB3-60E3-6E0B-00000000D301}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB3-60E3-6E0B-00000000D301}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.898{D694AEB8-0BB3-60E3-6E0B-00000000D301}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001455485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:01.660{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.551{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D89BF3D34B80C6F6D190B63A2DE13E39,SHA256=76E3194CB41E54DE6B10EE8E843AC5D23CAB2605338A9210F56EF4C80F9FD676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.398{D694AEB8-0BB3-60E3-6D0B-00000000D301}40844520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.282{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1476C1F06C9AB0FB9BAE010DCBCFE5,SHA256=4CEFF08CE008838AF499EA603DD0F1F1A8B3010FA2598A3B17C0C62A04AF92B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:03.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99793D9B76A26967F5E1A9022362AFB,SHA256=2062B7C41B5C0F4162D87735CF6B99A7D61B3F0DAA63CFB6560F175CBD5D14CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB3-60E3-6D0B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB3-60E3-6D0B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB3-60E3-6D0B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-0BB3-60E3-6D0B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.734{D694AEB8-0BB4-60E3-6F0B-00000000D301}68043168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB4-60E3-6F0B-00000000D301}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB4-60E3-6F0B-00000000D301}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB4-60E3-6F0B-00000000D301}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.582{D694AEB8-0BB4-60E3-6F0B-00000000D301}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.366{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478BC42D1C1538C3C1428617E73273A6,SHA256=C73CD8F8297D199B76775EC0C47641CC3CCE30D35F4D476F83EA85BACC257E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:04.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127DA1BF6EFC8E5AA532B694C16DE811,SHA256=F8CAA885CD82050648633991F4F437A754ECC0A6CA13B85586F877F58615B1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:05.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B469EFFA71D55945B61D49B86C6880,SHA256=FABB6F1EE7A594853E6491BF646A7D737657879DB71D86955EB96F3ABA5C338F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.433{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61064-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.433{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61064-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:05.380{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E4857B8A9236F8B60627432E36CF6B,SHA256=8E111332C20E8F831B9E789603AA42071E58B88B68F70417962D3E09E54D7FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:05.080{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=772307FC162B9A335B567B78D160A7E0,SHA256=80165C5619FBF6206B28922DBDB0939D9231493C6753D71CAD3097628188981A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:06.395{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB38DE2E16E3ACB20622C3C4CA515AF4,SHA256=15255D05D141A94704635E5A296CA158377A817F1A258655E68760D9816FB744,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:05.465{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54047-false10.0.1.12-8000- 23542300x8000000000000000400292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:06.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B0DEC66E246BFEF099439BFFC633A,SHA256=3E54E1A6890D0E462C15E35485BC5A7B0ECD333F5936F13F4AC63D6053714075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:07.427{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4CEAE5CB7086BF7D066A2D247DF006,SHA256=6D54CD8C3C45A75BD516BC3C59288F8D513B51C36567AAE6943B1D02C22D5518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:07.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FD2464932ED8DB5BE8E9F01F01C237,SHA256=D2124A181BBB15EC702F992C1F8B32FAD184888C1401ED67E220C0F17032F23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:08.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646A169A263FC9B75DCB149CA844DC7F,SHA256=0B046BE9E834D3C5FA837C1DBBD5B40B6AA9D186E52CE801F829949E4036F304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:08.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E655E62620CD00FE290D5202C4371ED,SHA256=92FBAB01A6F750FE2996D4C82A64810B387E2E0D1685742A76335770FCCE9904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:09.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84256201FD70C5B093AF89B403766B0D,SHA256=DB5FB4723EA8FCE74F1FE4819AD6C910FB7316BA0179D42D34DACC45658BE8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:09.461{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23004EE45AB220CF7B2B6147AF2D539,SHA256=2796428016B5777EE4A0C820C7F830210E54859ECE79AB541B9646C403AB29B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:10.491{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E1235ED73E30E3FC65F01F7A8E693E,SHA256=BA7CF3C7667EC7A35EE425411BB906D895811BC04BCF1315254F65627B42D72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:10.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72BEDF71DCCF6D3476EFDA7357BBF5C,SHA256=4F66DCE0DB582411FD25AA1D007010F0AE4F7E5BC81754F79D8D0B872E6BFE50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:07.655{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:11.506{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031CF584BCF7CC6186376DF4F5AE0F02,SHA256=0D5902696135683FF108A2715BC9B7029957851324B52CB132A33501745730FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:11.144{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7B8A7F924D444F0AD9E219B3FF31E1,SHA256=FEF6215E9C4762D2497B9FC909FF776C1B0C6031E7A781954CB5740936D8B548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:12.523{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AD3510E8924325EAA0E08B7C3827BD,SHA256=6627775C376B6E9B0226F27ADA0E4E379D449736FB7C9EE0ACC0F4934C346D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:12.144{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5FF2D7B8E32B4F57875E24B2C17EB3,SHA256=732C0910215762427BC1A930B1A55B8A8C702FFE808AE23CF1095C6998153F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:13.556{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795DB34110D49E92B8B24B7F510ADC2C,SHA256=4036D24EFC0FDDE4DD38B9B6E1FED5CB6959A0C4284B3B4D03611159253C20F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:11.311{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54048-false10.0.1.12-8000- 23542300x8000000000000000400300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:13.144{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407DB2E7383E6FB1F50B9A6EC9F40EC6,SHA256=3B683B00C936B613C1CDD54E911D97BB609CB3310F6CE26AC048EB7F374E2F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:14.558{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF86D3AB0D89EA9C3F76265AF9880BBF,SHA256=ABE9D6B6A8AA13ADAD6931A77AEE7EE1DF37E0B45F8396583AE884007C348D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:14.144{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7179DE8C1147721959414CA3166A3D9,SHA256=8B3BC952FF555D999B8F3F26A03A179A255C9CF886897516514859A53ECF4501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:15.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79F2423B631134B28752D75AFD98422,SHA256=3793AAB595B9D2F1F8A4D10FE4C5D02E2AFF07F356F0AB424C49B067570ABB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:15.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FC88BF200BBDC20FAB8A0800161B91,SHA256=122992A68497923E13573F09456A7D98FF9258E46A0A3026F4DA1E5393692419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:16.588{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5233AA272461BAA9C51AA414CE223D9C,SHA256=0FD2BE31EF2C97425F20FA65742B467886C4135E2778717D26620975CA201EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:16.222{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D5C4387C1839239E9CEEDF0BA7366B,SHA256=C9FEF49890EA160826E77C5D5127951525C5DF031B3CF3FC3B47FEC4FDF1920A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:13.652{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:17.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3719EE48918AC9A4C4560DB4CFFC7928,SHA256=3C8F7BD5E5DC4651D82820FC46742D1A8CD876A28F45ABEBD045A48C338DAD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:17.222{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E597087809570DE7CE77EA0A9581A77,SHA256=1987D645F3A1DBCAC3B1618DA3A6C9C1FA7C22CEF51B4B4429FF0C1D176D81B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:18.639{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F4541FDA2CB47F720C614F6E9B7399,SHA256=D5F8549272E01A19066682F472B794E5FF9228F2413052D70927B689EFF35FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:18.457{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC572F89282000426946EB9F8A77073E,SHA256=03743A177EFD49432C436B1845734E6E0B8AE70EC113FE98D6DD1544A0D95D98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:17.294{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54049-false10.0.1.12-8000- 23542300x8000000000000000400308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:19.691{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE0166C38D7B36850290E2E390357C6,SHA256=5BBFA04880CD6FB2BE4496F15DF5FD6168906F9A8B5A582809850EFB0D36B52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:19.654{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884AB1988406E76B8E71DFA64676760B,SHA256=8E60C7C9FE2AAD86F817E55C497BEBBFF7758F9434D6C6D35FE7103C9F7F111B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:20.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222A2AE543606558DA508F13381A2BF0,SHA256=3B78DD2A69B7B690908E70C41121D8E2E4EAB6BC1E9B0BFB25CD0BE184B225F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:20.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD112750065906BE91A58EA5794A5BB,SHA256=2B17D2AD496917415EFBD9B3BD15C70B89C3C1C06C717FF69EEE3998B5B54F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:21.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBD4090723CC9E7237789F7C88F0668,SHA256=27E0E8A3CFB57D587B8C78ECBD0CC49FA40CE024200B9D25096B02A6CB35180A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:21.716{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE3D4CAA4032A62A144F7DC569786A3,SHA256=B581C1AE956E9D6EDE09996DBC8BE9B3A248F6E612A1A334B59F60C7AA60F75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:22.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA3A000A8BF0C9C178E62732FDAC5BC,SHA256=06BD590666249D8C21017919BC255E7044329058F697EBBB770AA176F746146A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:22.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543CABBEC5BB3A033F1162150CFFCC50,SHA256=8DCD48B646F330F24C065331449BC5080770E18091FE32E104913C38DC630ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:19.665{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001455535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.752{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68583C66992A091A6726D427458B710,SHA256=874558F2414AEBD00E6CB892A011EAF8B1739A724811436ECEEBAF3CBB34B7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:23.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620637A7C24AE1FE702478C690F59C0F,SHA256=CBD549960B39A767D6EF901030338756A7D38CFDF603A37DCE9382E69AC43110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:24.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878DBFC98A3DBE1E651DF8D371D0FD81,SHA256=04C82DB9680118A886B4B3F05870B0D6A02D9EDA8C2C9EC79012E519ABADD57E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000400313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:23.262{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54050-false10.0.1.12-8000- 23542300x8000000000000000400316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:25.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931BFA6E58DBB535FE06B1BC10FFB72F,SHA256=B154F4D72EB4B6C08E8301419A3394A81C0D5E719A7D54653BB23E275D8DA862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:25.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE2724829282F9539E27742A7C5D41D,SHA256=E294B1F57527B73FD754CF26F990FE10AE8344B96F6258D02055A44A4843F095,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000400315Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:25.816{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a3-0x4f80ce79) 23542300x8000000000000000400318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:26.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F6FB4546143A14529B36B876C849A9,SHA256=6208FF564BB676264ED1B9D3B40F8DAE78A10194ED200C6E6EE44C3616FE49E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:26.266{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD77A3590B56C8718B9E5F863FE18CC,SHA256=0555658D1393BFC050C642A38A3C9A4C2C08134FE85079511DF0D7B1D2C650CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:26.379{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1754BDC2F974CFB414542D1657396275,SHA256=EDEE9AE5F582FDFDA4B943F35140BD8DE2DB4C4023B2A9C54415981F148C41E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:27.849{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A06DB8195345B240FE9579D901B95D,SHA256=81E22373F194935F3138E11FE48F338F699849870DB454EAE26F8868E4AF4C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:27.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0C13173ABDFDFCB74AE021DA2C1991,SHA256=1A18A858D714756C3D3CCFB029B7B1E2BF36B2D32E068C7E17146B520D93F12B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000400328Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000400327Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015770b7) 13241300x8000000000000000400326Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0xeec93e6d) 13241300x8000000000000000400325Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0x508da66d) 13241300x8000000000000000400324Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ab-0xb2520e6d) 13241300x8000000000000000400323Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000400322Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015770b7) 13241300x8000000000000000400321Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0xeec93e6d) 13241300x8000000000000000400320Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0x508da66d) 13241300x8000000000000000400319Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ab-0xb2520e6d) 23542300x8000000000000000400331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:28.911{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269EECE3BE950CD05069B466EDF65939,SHA256=3B0749857C59E11C1C996B1708AE3E297090168BB8F9C1E298583E8F711A973D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:25.696{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:28.312{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF14BE7609F8243D8FFD3A3726C9995,SHA256=420DC152458B1DF352818F9F7CB905E0CAF0F1E845E1F9F0CA0B4C89D6981271,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:26.011{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000400332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:29.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41025E9A11E098A7A1C093F9019331D,SHA256=90DF4290324910B59A2C3F1FB3900B22134D1D41F8861C1E271FA76F4CA08D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:27.342{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.130-63239-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001455563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:29.331{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6384ABD0992EFABAB50E6A3C1FCD8742,SHA256=9C020BEFD1BC5FEE752440966C7FDD32E5BD9CC46653B5BA0B05AC27F295861E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:30.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BD500F3CEBB9AA3E7E553B81E819A,SHA256=FB4F1821E37E2CFF10B6B111402B4D1CE9CC368F2E5619999227A0B969AB805E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:30.744{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:30.345{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CA74EE842697FB04FCC6149D97B128,SHA256=680FAE662674069457AD628AD77BFA262F13CA27E3AA8CAFE9C87F154FEECA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:30.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD81C69C825AF3BF91F5A6D462C888E,SHA256=3BAA9263DCBE6B1EB0D62DEE23ED0B3B38DE1FC4F41507B6FF1EC6F8D939B86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:30.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D377D3D3440048A8B855B56B280035CA,SHA256=1923D76D4AF05ECAA840814A46F93FBEF7F2FFE321C1888346F16A61DBEE963F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:31.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903F898DEDC43C31D1415EDA9EFB7F1C,SHA256=0E29D872D3F0EC338AF6359231DB76943E4870DF1DC0B5140E8F46FD5DE91D94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:28.709{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local51504-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001455569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:28.709{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64422- 354300x80000000000000001455568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:28.709{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64422-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domain 23542300x80000000000000001455567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:31.375{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B89893740C64B326058B6EFB8127DD,SHA256=2AB9C9343BFE55DB0C328A00E494E69A5F8B137BE9B02FDAF9F1324D70002A98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:29.510{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53368-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000400337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:29.263{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54051-false10.0.1.12-8000- 23542300x8000000000000000400336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:31.411{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:32.989{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AEE0909C17D061978DA5605ECE6452,SHA256=828EFB2AB297D192544FDC26C19091E6001123CAC14C404308227C76B2291735,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:30.176{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:32.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CA663EDEF775B52FBD99FC30E18863,SHA256=5AEE6F926BD5DEA38FEC51027902CAFED8F917B61A9F815CAE549BD2427AC667,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:31.474{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:33.427{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B056B1968933EE199F72BC24A10195,SHA256=4BEC6CF18B43FBF698332E440520059FBEF267AD0766C7A3E74A24A57DBFD28B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:31.607{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54052-false10.0.1.12-8089- 10341000x8000000000000000400355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD2-60E3-D80A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0BD2-60E3-D80A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD2-60E3-D80A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-0BD2-60E3-D80A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.005{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9306BC8FFA658EB5D6F13D0831A9F5A,SHA256=3D0672F033EC8AF18673FB53E1E703687FAAF1790B893BA592C81F92604A8F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:34.441{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B3591F867F05532303376B2E14A966,SHA256=9ED5E43E9D2781A20FFAC30B72A2B355DBB9750009D7DE812DE351017699D7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:34.042{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=05C50662C8C36C72AF1357C9A7A39B7C,SHA256=FC148F86857644DAAE5603AFC640B2A7A0D66D54C0838F61D5F0E5FF45BCE7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:35.456{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F142C736C36DC9EF6D7190ECC6AA1E2,SHA256=CE4A3CAD58C367C58E260A5EFC22D95AA16113997E8A709D76ED190EDF9E60A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.724{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FCC4607ABD579D2F9D829448798226F,SHA256=2216D2AE540E5C9354DFD0DA575A0556582A79DE694F5E5E590DEE325FDB9E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.724{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD81C69C825AF3BF91F5A6D462C888E,SHA256=3BAA9263DCBE6B1EB0D62DEE23ED0B3B38DE1FC4F41507B6FF1EC6F8D939B86D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD3-60E3-D90A-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0BD3-60E3-D90A-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD3-60E3-D90A-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.350{7F1C7D0B-0BD3-60E3-D90A-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.020{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C3A7DAC99BAE7416AF856BF1180E41,SHA256=EBCBA437DE58D63BC541783B14FBA9FFE8AB3D641CED6BDF6FA60EB0B43067DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:36.470{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D21B1C4A958D0EC55070C2C1A423C8,SHA256=DBFC16C1602CB82EE7E4A70F405186DD313CEAEFC3E463EACCDD5A0275E0C5FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.255{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB06C19F7C0863E06933B328122F7D5,SHA256=6CF55388B7397394AEC75F81591F6F792441C2E1BFE558C5F48FB8EA0EE62512,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.037{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:37.906{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A7D862D0EA6EA4D03F3BFD4F74B1205,SHA256=DC1606D883F8573B11A74A7305ADEAF27591AF3335D0D6582D5EB56DE8213A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:37.906{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81DAE4886042AADE85994027BAE63DEC,SHA256=CCEE21C4BB13A907AFFF4D010AF55CF48C133E21E76A0C1DEB5FF5A550EC6BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:37.485{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90304653BE5064A6549281FE3C7594D,SHA256=6B116FCB99311B6E2245CC7CA2CBEC721D0BF8E7B437CA4D57867CC9B257E0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54053-false10.0.1.12-8000- 23542300x8000000000000000400388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:37.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12C8F90927350536B84B3CC50F23F15,SHA256=E924EAD210385299BC1F51E05A0D751A4FBF71FD9DC4C7E4AECB5EA0FAC4412A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:37.036{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FCC4607ABD579D2F9D829448798226F,SHA256=2216D2AE540E5C9354DFD0DA575A0556582A79DE694F5E5E590DEE325FDB9E75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:35.919{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-46233-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001455582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:38.501{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FFBC098C743FD32841212D33C265B4,SHA256=486DAA441F6963CDA4F1DEF7E9A0AA8068EDAF876350B63BD90F482810D71DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:38.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2784AED7E2A7E8440BF1CDB2F959E421,SHA256=CB5BDEF67ADACB63C09D6AA3F0D45F0FFB86ECF2C1FCF87E55393091C1245202,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:36.485{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:39.520{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A593512A49D490CFBD809DD08430A798,SHA256=306D2A2A2F2F4CAFB9ADB8E53564D9DEFFD3AEAB3E88DBC0FD6F5F9FF5EC9BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.911{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.662{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.458{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}40403772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.162{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC25695B893AD42EF7788A9E6A0C0B5,SHA256=B90D3C8571E3E14CC3E7A2CD1446D955A3A2B1088741D3A363B558930DCD8500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:40.535{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C96F95E8DA738D8FB5CB41CE97C04EA,SHA256=D8F432F63B1CDBC76577F971183E0F7A47F7277EBCF53A51257DCEB3E8D5EECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.815{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}19362812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.675{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=464A4F6564274DF49ECCFBD4D6826E8D,SHA256=C5B3FAB8E07BB2A6EA46E78E332168C763F6223F02DF4F522D4C666083BE1494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99555E9B0B5EAF186678865C76BCAB3A,SHA256=9A268CB31DEEE3772D9C182441D7215221DBAD5D1CB8AEC53C51FD95E0B9FF44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD8-60E3-DD0A-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0BD8-60E3-DD0A-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD8-60E3-DD0A-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.178{7F1C7D0B-0BD8-60E3-DD0A-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:41.880{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A7D862D0EA6EA4D03F3BFD4F74B1205,SHA256=DC1606D883F8573B11A74A7305ADEAF27591AF3335D0D6582D5EB56DE8213A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:41.550{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610064AD0CD177B95DF3826BC1E7BAE6,SHA256=69A6089747D89EFC3439C2E4B246F4774B8D5709435318D307931C1494FF6C96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54054-false10.0.1.12-8000- 23542300x8000000000000000400450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:41.315{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26461C310C66EE0C436BF4A93CACD71A,SHA256=9B064C85EBCE37B180DE397BDCB4FE38F7D169BE0A555EE80517BA96DB332B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:41.252{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B21DB622CD6A73874D42F8F904FA6F4F,SHA256=B45E7178D2CD9930BFD648B180DB7C206814613F8C749E45F8C7CC88CD02E0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:42.564{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75829EF8FC78ADD3AAA41D733E7C1FAC,SHA256=A5C27EAC580086197CA13FBFF0348C7A0AE075D497451170DB968BDBF3076BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:42.255{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F25794A330CF5BD25A3DE86E754E6A,SHA256=0F5757A5F20D837BE4A06DB9EC05C2900E0729D1802A6BD957715E2DD47426D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:41.564{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:43.579{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E60E065399E8B1666771F28E9700F97,SHA256=38BADF8559724FEECDE7EF5F4944F85B2825195BEB0A4372D6CC8F60BD4BA59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:43.489{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C3C7299890F9D04B15B77E33272B1F,SHA256=2479451CBBD049885D5097363936DCF11E9B23C1E876E1841AB8EE69F7BF8F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:44.599{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1459D49CF4837923C59D1671DC3443D1,SHA256=E9C6CA890BA5E9FAC599DC093560BCBCCC89DAC15406B210FA00E7EADF722CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:44.536{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413A10DB732A529556AEE32495F1C9ED,SHA256=9606169E32BF31E91D69E03D1AE1B2150A5B9000E28457536979E4D662C052CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:45.616{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92017AB07885CD16709A7042705D61C1,SHA256=67203C43B0A8C68AC4409D8F67DA22BB5942B0625F9169CBAEBBCF98A63CAF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:45.536{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DF4C498F801A75E5D8D3D059889B9E,SHA256=2530F74CF0ACD1E49F2DAD4EA74A9FAE5535DD984B7A6904405280CBE29B10FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:46.598{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BF596FB0C4007626B7636889A0529C,SHA256=DF3F75F1820DEC754A823A027EEDCC237F593FA13521E68E8DA856CE33A2CF18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:46.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F45985F6766E654F0DEA77AC4466A0,SHA256=EF5AA0F3D6E3A0B7D6A9875ADE06C759F43005AAC44BFC5B844F42011FE7B2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:47.646{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09811CE62E922A3C5F10252611DAC061,SHA256=48D5569413047B7052110D98617F1BA3B64113B942A24DEE5C886160B7BB37A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:47.645{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5999B6BCED9F0356FFA35468EE16962A,SHA256=68801625CE724D1FEEA6CC74322CD10E0E8C076BC0602A85B55C60CB9268F15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:48.645{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205C144F22ADA7FF665D0505B3978C29,SHA256=03C22031C63F1105AE29196BC871A9E875868A7A971F4B7F7C7885DD5525A705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:48.660{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F48280BD6B041005171CF5B41783E1,SHA256=20030BA0B91DFE941310D19917FDA7A02DC9258B93D10AEE2282E9816A37DC87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:46.373{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54055-false10.0.1.12-8000- 23542300x8000000000000000400460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:49.661{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496AD71B8296BAE2912C3C1DD7CE603D,SHA256=5D140D0C41FE7DD320AF60FF36A541E57FFADE2B529899D02860E6F9F284187B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:47.592{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:49.675{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70B1110F053AC8D3D34D40BD1F093AB,SHA256=53BB112ECDD074E9EF7EE2BB06F81ED5C25A76D70520712C14C0D9B250BAEBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:50.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50D1C208869B1DBCF744E8F47B4A55C,SHA256=5D541C11385479C5688E5E876F0BBDEB9781625AEA3356F72A426EF066C1C745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:50.692{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983930FC5184BA364AEB28C8C6783B1C,SHA256=AE1F797DA84DD77335CA201F2C78235F08388A6E2FF7824835AE909259A07DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:51.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E5E35EDDC526680D465AA5A2384E83,SHA256=CC095EBF78826A003284A5DB19FF580D7FA37B076C7E8991532B5267AA11BFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:51.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB321B7A8FA92242031E97D41055C863,SHA256=6A83BDEDD01E6C8B7FAE9C8DDEBC63BDB2491D18F822166C7896385D24437764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:52.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DDA38607F4EC9C6EA71A5B10F3E2B2,SHA256=5386031315FB214FD181FAD55A1522DCCF8C40BA1D27EE6AABCC1A9963E1BB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:52.725{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A37F07B346B7BF1D753BD89F56D5BA1,SHA256=42E89F1246882E1F7ABA43ED8F0107A2D5FAEBB2DCAF9DBE98A810AC1E79E5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:53.817{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9F08B8C5D821351A78F27655863454,SHA256=ACBF566CBC74110A4D751C4484FE165D4B3BE44E24E8891DDB48415F0B526352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:53.739{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEE78E5574F9320014C72417DE93C85,SHA256=78F9CFF62363969501D5647F2D58568AFA8A8C7D21F34F1E5AE34AF200C033F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:52.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54056-false10.0.1.12-8000- 23542300x8000000000000000400466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:54.958{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D319B9FEB1DF0296EC274625F81F415,SHA256=B3672B146DB216320D948BFB23014F34BDF8B93ECC5ED5B07362754F3258E23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:54.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507D64408C4E597F4221F49703AF2850,SHA256=ABE9EFE001C72992721DA63D2775EEF6D4AC7E0002D0CEE2DAF9520D331B0D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:55.989{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA134A95C8214D95F29CBA3064DE1CD9,SHA256=5EF6EC4766BFE051CF6F0C1A73E0CD75E6A651F8490830F1BE6FD361CEA06F29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:53.585{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:55.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B6570E54A4F1BC1D02D3B24A014562,SHA256=86D3AF0A062CC29ADC3E76447842F48AED81F7D22578BD98ABEEB4F7D446B04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:56.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5FF38327F5762A90C55266AD8F1C7A,SHA256=0AABDA51A899DBFD131A21125C170C301690CE8B0241D87308AC4C8EEF006C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:57.803{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F305E02A8F88ABDF4D1AB47E948D7519,SHA256=C7D72D88FDF41225543D929E24FC84FE77EEBE5D22D9D34790E323E4FA070F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:57.036{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4A774BF7AED5D13EF2F4304519324A,SHA256=C8F5D5F9C8A15ACD43D3AB9B61FBC06ED35F4ED59D1528805BB284E7F66EF90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:58.834{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B577CE9B9E446D4776517C100013F0,SHA256=46D6A00B594308D6181E1367BAEB34713F345DDAB9975B309582FD5045B9DD79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:58.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022CE674476B7D467C9CF51AA8493370,SHA256=0819449D532FA173F6609E0B46189B97256462D7E4367E6F2EC15D17905E5615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.848{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D218351B06465B63718DCA10D08A13,SHA256=184A89B9A7AF0AD67838A86F712AAAE152D27D134F7C9E340431BDBEB4CDCEBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:58.373{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54057-false10.0.1.12-8000- 23542300x8000000000000000400470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:59.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B25CE39DC7EEEC6AC0CA049D8B86C8B,SHA256=6F2F873D11756B3C80228486D6410958DF57557CA8BEC0443A6F77A9399A0607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEB-60E3-710B-00000000D301}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0BEB-60E3-710B-00000000D301}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEB-60E3-710B-00000000D301}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.702{D694AEB8-0BEB-60E3-710B-00000000D301}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.165{D694AEB8-0BEB-60E3-700B-00000000D301}38442584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEB-60E3-700B-00000000D301}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BEB-60E3-700B-00000000D301}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEB-60E3-700B-00000000D301}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.019{D694AEB8-0BEB-60E3-700B-00000000D301}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93832F5E07ADB4EB7A9223D6B96A5087,SHA256=2EE63F534ABF8E41585ECDC351AACF334ED778DD4F5F751CA5A60E05CD67B89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:00.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7CA6A9C95B1ED7CA1A0AEC2089BB6A,SHA256=A93D8B57BE0329E7EB5C5822B3C94CB68F03223008B9B73DBA3BAF81564E69FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.385{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEC-60E3-720B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0BEC-60E3-720B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.382{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEC-60E3-720B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.381{D694AEB8-0BEC-60E3-720B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F68DB0BFACE8E91DE437F2FAC192A59,SHA256=5ADEB4878A2D918BF93C0C067B69408FBFEDB5BA8EAFCB193A0AE4B5DBB70E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E6253AC02C97CAE411801395A3A099A,SHA256=A0035EC48D32C0D129C8C2F9FBA3B189430B13015334BF0D9B26A47876505C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:01.881{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF6DC530DB9DA20B56799577CFB70FF,SHA256=87AAF7F48C67AE47E998080203B78510966E51F9F50587115EF8FE8845345AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:01.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C20567E4684CB91C990DB9B9E582EBE,SHA256=6E3C88B124AA0086A05187BD0037FA6154FDEBF85181C6EC291D7BA87A53D25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:01.401{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F68DB0BFACE8E91DE437F2FAC192A59,SHA256=5ADEB4878A2D918BF93C0C067B69408FBFEDB5BA8EAFCB193A0AE4B5DBB70E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.899{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D261A0CC85544EC5385A558A343CD1,SHA256=396FF22D69DF617ED546C4E3DE0CFBF457F98876C5376265C80791434952B341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:02.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2272A7BA71297300E3052181EE89CE,SHA256=A3322EFB097B37FCD5F4DFBEDEC294046CFA83126A8E98F10CABBB6C08AF3127,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.684{D694AEB8-0BEE-60E3-730B-00000000D301}6328616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEE-60E3-730B-00000000D301}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0BEE-60E3-730B-00000000D301}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEE-60E3-730B-00000000D301}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.547{D694AEB8-0BEE-60E3-730B-00000000D301}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001455640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.580{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001455670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.946{D694AEB8-0BEF-60E3-750B-00000000D301}5716388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.914{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9603DEE289AC161BBEB0F52ADFB756,SHA256=D0FFA6F94F5C29E8427F37EC3FD88CCE8F9171A8E2290085AD21195983CD0481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:03.192{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C689974353D65FFDE45A1750A1F5A2,SHA256=BB55471025EA5B28FF4ADF4C6FA410C89CFCB8A9F2E1FBF2D18596B51A4BEDEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEF-60E3-750B-00000000D301}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0BEF-60E3-750B-00000000D301}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEF-60E3-750B-00000000D301}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.800{D694AEB8-0BEF-60E3-750B-00000000D301}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.580{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEBA2FDC301A555B1664A1827E71090F,SHA256=5C9A7FA91821FBA4CB45B9C6CEC69667351C278DEACF215B2A0BA5672EA9B3A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.314{D694AEB8-0BEF-60E3-740B-00000000D301}64561568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.183{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEF-60E3-740B-00000000D301}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.181{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0BEF-60E3-740B-00000000D301}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.181{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEF-60E3-740B-00000000D301}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.179{D694AEB8-0BEF-60E3-740B-00000000D301}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.929{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18972AC9AC658495253A2DC4E440053D,SHA256=A9D79898F1F95C93170BCC10FA3533866CBAFA32AAA7CBDEF28EC217D17464FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:04.210{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4064B2799D3BC8D3233EF1382AC35D20,SHA256=CCEB240F7671B663451D0A05A5C46431ED7EC7617D7B5351EF2112434FD00515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.814{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CC0F24B075C42410B8025C1DA1AD6EF,SHA256=396DB076FC3C07E13F754AB65D8DC4499071DBDD4A22E15C18BC4243AC5E9DBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.481{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BF0-60E3-760B-00000000D301}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.480{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.480{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.480{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.479{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.479{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0BF0-60E3-760B-00000000D301}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.479{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BF0-60E3-760B-00000000D301}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.478{D694AEB8-0BF0-60E3-760B-00000000D301}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:05.944{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F1D7DE6D907F61C0A0E46063CF53AA,SHA256=EB9077C51EEC0734022672E849BC4F633B79EC2F8F22DD08BCD66F65F0F039FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:04.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54058-false10.0.1.12-8000- 23542300x8000000000000000400477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:05.223{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8265C6A0C915B3CDC6297D907844115A,SHA256=B28B190CDE63DC7F399DEC3AC6254818EB7750A4B314C0EDF7CC5C490C07E28E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.446{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61076-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.446{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61076-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:06.976{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E20494424E87C768C7A4667CE59455,SHA256=CAA9AA373587E436C61402BC23F09B98F90B86F1625382C66F36F7AC00363A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:06.239{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3420C64DAD12AF292BCD293434C158AF,SHA256=737B1CCD057BFDC12FAEF4744DE9B44254B077E3C106B97D3AB008A778EC2D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:07.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4801A154B5F6CC7A32EEB58226B2F06,SHA256=DBFCB305C3BE5157B0148230C00D1921C491CDEC07C959CFE564914B38BFF6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:07.239{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572F3F30C78A1DE7D935D3384A98EF81,SHA256=45EDAA781ED0BF5033DF0E39F2DEEBD7DED9FA7D67BC07978EC5D4CA222DFABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:08.255{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3411A89B3F84AE521169ED82CFD3CCE5,SHA256=BE01DEF63471090F5A08E8B2175B990709A8AAC65DC8CA7351E4140A85A26C45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.610{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:09.286{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF3D74A6EC2E0D53703F385ACEEB779,SHA256=788CD928A930EAD3B0D743756177C8B98631A0DB8445BF18E87614EE5BA752F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:09.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D1E8C35E1AC469967FD2849A1AC2E9,SHA256=8B13532CE5FA2C8C4D5D0316F1F9F035B810965F9B79223AC830942464330928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:10.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C67A2E9117C7C463FCC32BAE52A5F34,SHA256=18D1AC0967EC699A35F723D38787B13E31056F7CFBE266AEDAEEB551C35946E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:10.026{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8A2953CD402656834C2A33D828122C,SHA256=7AAEF83BC78BF1BA24D826BE451EBA6A3377426AE60BC1172692DD0554362FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:11.598{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED1C71A06151E8DB19872C7280F09FE,SHA256=EB4B3504EDE5B57F8D034F19B4F02C758DBFBC44158201140FD7B315D804E115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:11.040{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30C42B5BAC144B2623FEA74727A266A,SHA256=3535459F58EE8C83F81740C1964DBA0CBD0A45B8588A9885E771F29A5EF5E14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:12.739{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D573F7F6B2AC34436106BFF94B6CC4,SHA256=E136CA906AFFCB523FA514A36045B7FF2EFB2FA3371368A9F9613EAA180A0CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:10.618{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:12.054{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9E8275CDF8F9984C3A516D1D96D93A,SHA256=E2DCDF668E908965892AE02233A5C3965B47E523E1AD260969094DB477A17B6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:10.326{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54059-false10.0.1.12-8000- 23542300x8000000000000000400487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:13.833{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0575CDA5C3E7292CC2640A9300D84C83,SHA256=F83C4AD704AE6E23EE39BCA1D9A4755DE9F16890630002F1E2C1EB7395797EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:13.072{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153F67A27962B1A4CDD673F8980F0B89,SHA256=E4CEE8D4D2AD6CBFE049A4DE10EA23730A373B28136E45981ABBAED730F5FE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:14.833{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B59B732282F2B47DAE41DD0CE4E8EE,SHA256=682B8A82E92C8B430EAE99FF845E0552975ED295EB0DA080F921E3B401C30C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:14.108{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18AEAC8A46F15336A5D0442601D3A35,SHA256=49894D84838428F6A0565BB1E1EEE442717BCCE58B4CF97A66AAF7BB003123F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:15.848{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22AE8AC8B0500692198364EADD89253,SHA256=A422958F9530638D290484E574DB9348572853096043702A79348417E201B521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:15.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F967203EBF56D4A84854EAD5E0457E,SHA256=C1493226C21C51C5C617E220EF06FBC6BB578ACC9F8CCB8BE810A3160CAFCEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:16.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CAEA79F8E691ACD5504AC5E7E06011,SHA256=C2663327AC7B4EEC573BC9D5BE7AACD645BB623D817C6500EB6B2D7E210A2A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:16.191{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28565D9ED65CEFF960454FC2D07B82F3,SHA256=3DA679AC2FC79B6E217675A03B98EC8F3DAB68549DDFAC36E9264953EBF3E453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:17.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B77632C61BC2A8F0A79296271A142A9,SHA256=B03154F9B355CB7573F50BD8E78506F6245338F7A6F9D356EDB1BD71F05A8BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:17.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F67C81C39CB225E640CE8315596956,SHA256=A6141E8B716ED1A3ED2D26CB890C7F37C59CA0B1B2E5EC2100C3385F2424E68F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:16.279{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54060-false10.0.1.12-8000- 23542300x8000000000000000400493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:18.958{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA8394F35C363A589F0CF9F8ECB8C34,SHA256=A102B73BF179C82DE43F6980830CF78B1377F64A41C40F4169D279FF24F7245B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.206{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5036C7E4527AF42300C71F78CB6205F,SHA256=5BF4B9BCC92C0192B49D4B097D5E9C9A52777141307E1936248551208EAC6C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:19.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DA2811FFEDD9826F1222C8938740F3,SHA256=7176FD10B6A76696A6C3987FD5007201A57E180A13C9C4D14E949D9ADD357548,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:16.617{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:19.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879147C4684CBCA707E588D2B3F38B0E,SHA256=8A61A4876581B1782523C72D083A36910915A75D0D9E628F591CE893CFF55BFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.752{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local63509- 354300x80000000000000001455749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.751{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63946- 354300x80000000000000001455748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.750{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local50523- 354300x80000000000000001455747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.750{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63077- 354300x80000000000000001455746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.749{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local62106- 354300x80000000000000001455745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.748{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62117- 354300x80000000000000001455744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.748{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local59642- 354300x80000000000000001455743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.747{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58666- 354300x80000000000000001455742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.746{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local60313- 354300x80000000000000001455741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.746{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60138- 354300x80000000000000001455740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.745{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local58812- 354300x80000000000000001455739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.744{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58010- 354300x80000000000000001455738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.744{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local65464- 354300x80000000000000001455737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.741{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local58054- 354300x80000000000000001455736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.740{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64306- 354300x80000000000000001455735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.740{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local50708- 354300x80000000000000001455734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.734{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local60034- 354300x80000000000000001455733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.733{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local60232- 354300x80000000000000001455732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.732{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local59351- 354300x80000000000000001455731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.730{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62008- 354300x80000000000000001455730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.728{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64266- 354300x80000000000000001455729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.727{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local63434- 354300x80000000000000001455728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.727{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50951- 354300x80000000000000001455727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.726{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local56554- 354300x80000000000000001455726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.725{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56471- 354300x80000000000000001455725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.724{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local57008- 354300x80000000000000001455724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.724{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62815- 354300x80000000000000001455723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.717{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local58651- 354300x80000000000000001455722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.716{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49802- 354300x80000000000000001455721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.715{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63258- 354300x80000000000000001455720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.714{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local60007- 354300x80000000000000001455719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.714{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local51132- 354300x80000000000000001455718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.714{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58858- 354300x80000000000000001455717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.713{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local50985- 354300x80000000000000001455716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.712{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54046- 354300x80000000000000001455715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.712{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local56185- 354300x80000000000000001455714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.710{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local57071- 354300x80000000000000001455713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.710{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56185- 354300x80000000000000001455712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.709{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local62588- 354300x80000000000000001455711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.708{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local62588-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001455710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.708{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64100- 354300x80000000000000001455709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.708{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64100-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domain 354300x80000000000000001455708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.701{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61082-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001455707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.701{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61082-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001455706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.700{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61081-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001455705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.700{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61081-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001455704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:20.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0C36D004163B497BA16E18118932D8E,SHA256=E92E380D060B875502F561474EF20985DCC8E6883EBBEF715D807BA2AA3CF661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:20.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4BDD385355F5F1FD6D80A7B77744C7C,SHA256=04450763C5BC8CC6E4419DD5F2511550B2A436AE1F734FBA73CDCB7364553AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:20.224{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43C8B03471B062942BF5FB12239EBCC,SHA256=3BED39E2A31DD0A3798218E2ABCADDAB435A911C7E7ACEF3CED2524351A7696D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.301{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61080-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001455700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.301{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61080-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x8000000000000000400495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:21.192{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8AA5EBC61A68320890E4FA0D12CBA4,SHA256=B94590E8E554D0BCD1F548003DF111A2D05522D5B700E62CA984E0CA7DCFBD11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.738{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001455751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.523{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A78ECC7AB0FFB6FC9F72E6E78C25F59,SHA256=7BABA38D86C564A7B60A3D6BAA24F44C0CBEAE0C124D6BE9C4BB198F9D854ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.079{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local61084-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001455757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.079{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61084-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001455756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.072{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61083-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001455755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.072{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61083-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001455754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:22.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0C36D004163B497BA16E18118932D8E,SHA256=E92E380D060B875502F561474EF20985DCC8E6883EBBEF715D807BA2AA3CF661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:22.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B167E180E65D30330E71EAB574C07E,SHA256=E1DA47F737FB585469E92F73832A242867B36BF0F276CAFDA7109D0A01986142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:22.240{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A5E2FD5EE907026D9AF6419B366796,SHA256=85588BD87443B9F2981EA2C3808FF52489DFFDCBC0B57EE1C7C619BF77272998,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001455762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:41:23.976{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001455761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:41:23.976{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001455760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:41:23.976{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x80000000000000001455759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FCB2364C03774B6493C7BF2731850B,SHA256=CB26AA1C1E08338A415EB8AE7A7DD8F611C96549D0F47F858896D0C658D6D397,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:22.264{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54061-false10.0.1.12-8000- 23542300x8000000000000000400497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:23.255{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E858225D058B92F26C8469227EF5D6,SHA256=3703D3FCB6996C8379EB75C92D230B8EA7636B344C812BDDA18549719E6329A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:24.991{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A5C91D193A7712EBB08CB1C82DB4110,SHA256=945C3853724F8297F5DE4F3E1BA8DB472E0B3F3A712E8ED8AAF442F2B2413D26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:22.639{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:24.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12015779EDBE132806F153B244AB60E5,SHA256=2728481B182247F54A41A0180D1F452E60FD33E76B1DE1C1749835164F6C7FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:24.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11C1BA5AFC4AC753C781468997E47F0,SHA256=F4F146BF07D111723369D2B37ACB0E0283796754CFBDF311C30B8149BDEDE35D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:25.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7C0F94306D35E14882189EC39D9563,SHA256=68D78DA3DF4DB44042ADE518A25AE769FA7742F5FEE7F9B210E4FA8C25D7F60B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.432{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61087-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001455769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.432{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61087-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001455768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.419{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61086-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001455767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.419{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61086-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001455766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:25.590{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0526925AB7D05E403535D7828476E0D0,SHA256=2E3541872CBD4582DE745F3A15F3793C632CC852832A19C1B3F03C8A81F91F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.438{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61088-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001455772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.438{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61088-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001455771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:26.605{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990243F36A7C7EB4C7FD36D9ADFF5B0D,SHA256=A92E4AE7B96868C2DA013ADD289ABBE56882388F8948002E6A3401ECAB52602C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:26.380{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7D992344BDD75DC9D38FF3FB2271B3B7,SHA256=54C66F9CC707166CB02CBB33201F9ADF6CB0ABF7496276E052CA809578235636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:26.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D497280F4F14C70481E577204C0A2BF,SHA256=5D8AAF14386FBF1C653DDA3AE9D357CCFD322C53CC9FF313A66726B554FD211E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:27.635{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F03DA4444D598B74BD4E7A2E371FD01,SHA256=A89D4CB602A9FCDA447F460E4F519A8E42F2CC862667A3E35E8B01903CE95CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:27.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BBAC9772B834F91A64805EECB930BB,SHA256=B5C0B01698262A1D953F3278DFE5E66FD7305995A6D6FCA7158838E2A836B54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:28.649{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A7FF00B9BC86E38E649BBB5F368629,SHA256=89137909722F3EA56A3839DE0259DAB56115F2D2DB5EA519DA7D5DE0740EBAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:28.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFDA0DD8E6D3CA620CFE6DED3235F63,SHA256=83AD2986EB5E3ACCFF77E3A566187CC3CA108FEA2F6FE7FD8AB3C6DAF1857249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:29.667{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDB0B16743FD781306E2E2F22D8F329,SHA256=01D156AA764287A0E006EA6CA7658A8D96B12F84A07A941BB402FBAA6E9263F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:28.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54062-false10.0.1.12-8000- 23542300x8000000000000000400505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:29.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63276192DCD9EF6413F5AF49413E9037,SHA256=BF023B53ED284E607562C4B3A5030FDB59A87B40480A8F663086758F477AB16A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:28.614{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:30.767{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:30.685{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DA293E2529237F9403F2DC1543F7A0,SHA256=C5EA848C8C6AE69BA6D4130B786C2879FA58B7A8D8FB19E8B57D38CDD2887110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:30.364{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4579E64BACBB631CC4E3E2D2E5BF22F6,SHA256=B73ACBACA6EE14FD8A4B0DD719285B167A52E4EDBD0E1340E5850CCECFD4C1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:30.364{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B6200E648CE8887645F9F09FFAE5053,SHA256=928F1394437E0570E16972FCC9059567B62C375FA243A776B2AF25AB626653AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:30.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B5C6A25FA102CAA06A9FD15FB17074,SHA256=11B05E8A4918B6061A7CC4BB962BF50BB0E62A781C0F27C81DA0D7624BA80C46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:30.194{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:31.701{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9353B0184C9A03AC417757E762A4071,SHA256=4688A33F219E17C9CDD50B87B6551D47329118277E591703D4BEEBCF3E45E2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:31.426{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:31.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E115F753FA54901C20F5C0C2E1EC7C0A,SHA256=EFF155DAEF73904EB070201724C66C3027D227C83BD7FD8D8A4DA8EE2F9A8A3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:29.277{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53540-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001455782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:32.715{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B3474278920FFB16E078FC101191E5,SHA256=B080C5978E4951E6BD150FDCDC4350120941F3AE341928778AAB8C7F5A0D9E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:32.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E914596C45572C185FA5E8A72711E147,SHA256=58DDB924110E3D34327E20B7116F8628314A19B14D9A5FBA6D8621465AE34E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:33.730{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCEB50FABAF9CC0CFA6DCAFF3EED3C1,SHA256=23CAD26B160D1B2CBAAAAA0A9B91B68BC04DD146C6F889CE1A1DF829CA1783F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:33.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482503DDCA2B184FFDCFA3F0228C30BF,SHA256=1EA8EB4699617EBE3BFEB447CCF5A33EEADB0C71F6AD82D9AF4AB4AF2032A501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:34.744{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B57F2BE977DDFBD9D54C764AD1A4A1,SHA256=A6E45F55DB6D91A1B90C9C1FDABF56657EF0B5902AD547520B08277F6175B0CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C0E-60E3-DF0A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C0E-60E3-DF0A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C0E-60E3-DF0A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-0C0E-60E3-DF0A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000400516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:31.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54063-false10.0.1.12-8089- 23542300x8000000000000000400515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC2D5A91420F463589B2AE6A5516F27,SHA256=8BB81A015D6896BFE91F9C97A89D488CA29446A1677EE8C6FC47857D77F1B97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:34.045{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=51F416276F1447D5A821A6E34D4C3E32,SHA256=42F49FB101ACBFE4B3435F6272F2887CA3734C04C943A073075EBA6F8884334E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:35.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDED70E7D93F14DA7BC7B2665411C5F1,SHA256=41F5D84219105B08E1CC5C191118258776BE29E4383133EC039CD53047266303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:35.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=448ADCB04400E5CC9941D6606082480A,SHA256=69C007AB7D4605A642596AA6DC8C9A1218695383E516454FFB88BE7E22ED0BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:35.762{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428C6184382651B5D526F2EDB22C492D,SHA256=6E80081739375F40836B6361CB2CA6CB3F13A5DA2A7D02D0CACA78E95A7007D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF1C2CAE7D05D890567E45560260E176,SHA256=72D0FDD5AFD51F5BF65DFB178D9CEABD0D26CCECFB946DDC3B651335FD234196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C0F-60E3-E10A-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C0F-60E3-E10A-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000400547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4579E64BACBB631CC4E3E2D2E5BF22F6,SHA256=B73ACBACA6EE14FD8A4B0DD719285B167A52E4EDBD0E1340E5850CCECFD4C1BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C0F-60E3-E10A-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.834{7F1C7D0B-0C0F-60E3-E10A-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.567{7F1C7D0B-0C0F-60E3-E00A-00000000D401}19322632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C0F-60E3-E00A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C0F-60E3-E00A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C0F-60E3-E00A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.334{7F1C7D0B-0C0F-60E3-E00A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89ABF317A4F151AA4FB1A93885795618,SHA256=81396919ED9CBE72E381438718E090492DDBF213EA647A997DF26827E3E3FE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:36.781{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080F65560AF3805C0E785BEF5B8C957D,SHA256=680DFF756CC812B1FB26A54A45AAE26CF7253E2442FB4BAAF0C397F0CDC33B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:36.911{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF1C2CAE7D05D890567E45560260E176,SHA256=72D0FDD5AFD51F5BF65DFB178D9CEABD0D26CCECFB946DDC3B651335FD234196,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54064-false10.0.1.12-8000- 23542300x8000000000000000400560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:36.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E681697A7B32EC17AD433E41F00D1D,SHA256=179804D1238BE8EC19FC7B842C2E40452F479106D9D78715FB729FEA9FAB92A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:37.796{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1B1485C19B0DC18E36533316B5F048,SHA256=26B4A2DF7D8B69FEB36CD59EF51E98655A5C6464C6281C8164A04150E7BDDDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:37.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D58DF7326717F24053850A4FF5DDDBF,SHA256=090EE2F121986F2D005531468DC03824B94D128141BC7DF416FE70E55620C362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:38.810{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB99EDC650AE9B0E455A978D6F856A1D,SHA256=9427E687BA7CA3312BEC8E87FC1419550B66E4EBE3E5F4285BC6D733C407F10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:38.473{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7C8602A9299710988626B8949E2683,SHA256=ED496E9475624353C5F874D7A12804DC2699544783494E11D608A3B2B9092990,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:34.610{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:39.825{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AFC6037BFD1584D41B95BDCB0E1710,SHA256=FFE8D8037424A980E574A0DBA48724F7537DB34F775617FC2C720063A74A9DA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.723{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F1FC0B54770C9F84632CCF82DF2474,SHA256=952B858C2E08235D922D383E318494EDCC5FCC30179EC3C74B62E4357858FBF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.317{7F1C7D0B-0C13-60E3-E20A-00000000D401}40162712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C13-60E3-E20A-00000000D401}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C13-60E3-E20A-00000000D401}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C13-60E3-E20A-00000000D401}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.162{7F1C7D0B-0C13-60E3-E20A-00000000D401}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C14-60E3-E50A-00000000D401}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C14-60E3-E50A-00000000D401}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C14-60E3-E50A-00000000D401}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.962{7F1C7D0B-0C14-60E3-E50A-00000000D401}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A94CF118822F0DBCFF93A9CC401AF9,SHA256=E22981DAA22B563AD2E474EA30E11386A89F0CA1511E51F8687BAD54E09D7C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:40.839{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECA637B36C4BAD29090E447E1DC62E9,SHA256=2925F448047F5563C42790C7D50DE4CE16DD708A4291DF15357077156DBD13B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.522{7F1C7D0B-0C14-60E3-E40A-00000000D401}19642376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C14-60E3-E40A-00000000D401}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0C14-60E3-E40A-00000000D401}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C14-60E3-E40A-00000000D401}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.334{7F1C7D0B-0C14-60E3-E40A-00000000D401}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.286{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0279B19B63AAE0D397C9F56C5B70C9B3,SHA256=2C69394EB9EA9CD44C28632640EC85234FDF080701832A6D5C067CC8BF70CA1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.083{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:41.857{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C709743383B8983B9BE946AC1F5FC4CB,SHA256=FA16C1139BECDF2FDA5C53C007865037F4FCA30F83C73B285E27331777E6F12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:41.460{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAE4928AFC6DC00F9190FE217A3DDAC2,SHA256=E97AF199B31AA671E4537B0F212F900C6817D9E5D4FD40ECE3CC7731AB1B2888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:42.875{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26492676E148B7665021438FD639E2D4,SHA256=34ABCB307660085E5560EC5FD3C4491FF6B683C9A989081B11D579396D2C3381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:42.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855B60EF45C1BE0178A7C5E8A99A1D37,SHA256=96D888913F9790B9D8CE291AF7A85EFC40F96E4E686F0BD8EA1B894DD9048C1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.342{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54065-false10.0.1.12-8000- 23542300x80000000000000001455798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:43.889{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53081731FDE0435D6D82D272446DA36,SHA256=15CD67246E55B4248E1258F78A1D505E594ECEE67562B30DBD82D405B74C929F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:43.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F71A6A6FBABA34297AEE8A874D9608,SHA256=A6D6CDE7D435D82F9EFD2CDE229237F0560C7EBAF96E65AABC2FE523F1916A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:40.623{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:44.904{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B50BA8164E3043332515914843600E2,SHA256=279B8F1E178D3F179508DC0D8E3FAB0CDFF2E08E1C4B39564EC1DBB0C7C71801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:44.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE25BE8AC50628A6DB11D144F578B896,SHA256=66F64DAB9BDEA108C83D1C8A6C903E4EEFCE497DC2B82784BE5B0650B3B76307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:45.934{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04D1D9A9A09327E01F9DA4B399D3CC6,SHA256=A18D2E770564709B71F505B58748B89D9E89FB9BBE413F04F116C29735826CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:45.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95793EF03676F7EE6B52ACAC42267380,SHA256=C6043E5BC22A45778BA6258A24C7CBAEDA416D9B63C0529DA062FFDCB7ECD9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:46.955{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D751C4C69C3C8E86E3E76EE91D68CCF2,SHA256=A482E9B0E81CC0ABBFFC74A8DA91D5882998BEF7185385CC355C0B339E81E3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:46.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B623D1B14F23F791B99EF93DD1D1E27E,SHA256=E63EA56BDC39984639A51393752DE7CE2E9CFAF8E8E68B75EB396559277C5940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:47.970{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DA9931C3DE499101B11E52D23E658C,SHA256=4B82C129B4B6A689AB11F41E5989F85FC6C9D610CC7E4D2B5588291B0220BC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:47.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F397F9EEA424C3221E6C2CC898E3ABA,SHA256=31E55BF38E7812BB2935122E6E1C949D4CD5BD96E61053F1701649F456DD2FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:48.984{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1DBBDDAE447366E878DA71B349382E,SHA256=FB3666DBCE1154417E71D947B1D6A35587F9B9D493A4A804E993BED310BA4541,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:46.368{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54066-false10.0.1.12-8000- 23542300x8000000000000000400631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:48.140{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60123170EC21ED2A85EFBEDC4DC86D7C,SHA256=06CED3134E25D6FEA80D7501042781F6C51CD6ACC2B8DB373555BF5154B51969,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:46.599{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:49.218{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADAF9E8A38B3DECD2195C5976F4A418,SHA256=F48937265657CC8561CFDA41C9E62B0E3B5BA34E6C94B6AD86AFA98B04B04CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:49.999{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BE7F421698722E6004B577713F6FC4,SHA256=C74C31103E4EF2444004394C8D2429A85F8A8C525950918B6013DEA27A8D4EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:50.250{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7646E07EFBE1874B8419DA372B8C402B,SHA256=3A3880A454E5B01D4ABC71466E8CD947D60444ABEAFAA8B5504D091F750C2973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:51.265{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D389ED8F46AAE04E8C2FC70BEB74C99D,SHA256=CABA572CD2447E916D020C72B211B71073A7A483BC51D91ABA565D3489783497,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:48.450{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-201.attackrange.local138netbios-dgm 354300x80000000000000001455807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:48.450{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001455806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:51.014{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E21F76500A886074E41C3B18A4E4C81,SHA256=E0F50F435DE2602CBA8BF092A1EAF959B8F38655C336D35123302AED5C1B5C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:52.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEDE4B78E7A3EF76065BCFF62589399,SHA256=402EEC77917E0FC85625286171B4C7856889A1AC25653C5C47288E365BC4697A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:52.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FEED979C017C8E4E49C2EF5992FE4C,SHA256=98BD5E67E165B2C54DA3A91DAAD0C580616FF6069C4FE3BC605811C6DDDE62B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:51.384{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54067-false10.0.1.12-8000- 23542300x8000000000000000400637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:53.312{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C003829D0C0A49AF2D88AC920F6EBF9A,SHA256=32330A9ACBC1FF06ED3EBF679AFA644709D162B8E211E694711F0A893DABE339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:53.046{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D16A8E662BA7AFF1EDCCF3DD2A1448,SHA256=A54D5FC6ECE6E040B00AD8F751BECDC21B1EB33882AF93AEEDFD2D32F801C972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:54.064{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A0C80908571EB8730FAD3B86219933,SHA256=939B2166962141BED827FB69ADE1A1E840353F9906745C557BE997E2BBCC4EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:54.312{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB21C9FCAF1F214C5BFB55F650F87A8B,SHA256=E7C3CA2290CA03E900AF510A748D675025B7512909515C3D2F03B9412BDC35DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:55.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7058477649EF154E6EA5621A8C864B65,SHA256=1E16CD3382A78A614C66BA22F51260ACEE08398757F12E8BBB5AFF32515C76C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:52.612{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:55.065{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2237D56F4DBF928479C9BA8233615CD,SHA256=095DB9B024353F59AC96793474835267EE7D23E72242B3EDB32AD721F61678E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:56.390{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5CB1321EC176132C8E2AE27A058EAD,SHA256=B84D6E3D48CC13545EEB6C028ADB084969C1D553A7EDF2953CB7CE8EEBD5BBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:56.080{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3728953C462B81C14CFD2E7BC47C1049,SHA256=C4F4C220B80058FF20D856B8DECFE834082E1264AF05D2C818A7108BCA15A7EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:56.668{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.130-62312-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000400643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:56.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54068-false10.0.1.12-8000- 23542300x8000000000000000400642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:57.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048CCE378E8B2C9FDCAA77E2894EFCFD,SHA256=55032109E754865B8F2821A44FB5BAC0FBADE8A689E2A8B61E130672ED51758E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:57.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA75C805F81C330CD27E6AD5090BCD05,SHA256=797980AABC83001C05C0C5483C49D6FE9979163A5DDE1DA4FB23E15327724D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:58.453{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8EEBA30F8CCA7EE2FF642EF56FE142,SHA256=73F97DCE1B64BA625BEC91C99523BF3A7C7100693B154C124550D3941497064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:58.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6C9B80A471E60B60978C15A46EF368,SHA256=5121E83822FB177A477B3BA815CFB4E5B4903794C8073A4BE88908030B4AA8B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C27-60E3-780B-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0C27-60E3-780B-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C27-60E3-780B-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.693{D694AEB8-0C27-60E3-780B-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001455826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:57.106{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.15WIN-HOST-88450889- 23542300x80000000000000001455825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.124{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7396875A2DFC79AD266840D24E29C48,SHA256=006DD17EC133BF5FC41004FAC4DCD14064432CDED5040A3B21E2B51064FEEF57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:57.873{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-884.eu-central-1.compute.internal50889-false10.0.1.14-53domain 354300x8000000000000000400647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:57.872{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9840:442:84cc:ffff-50889-truea00:10e:0:0:0:0:0:0-53domain 23542300x8000000000000000400646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:59.453{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04442A8D0E81561362202AAE8835DC5B,SHA256=FF0054399A8FAE2AABEDAC87F3278D380EA73D0535D3D97306AA00C41325C5EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C27-60E3-770B-00000000D301}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0C27-60E3-770B-00000000D301}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C27-60E3-770B-00000000D301}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.025{D694AEB8-0C27-60E3-770B-00000000D301}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:00.593{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCDFDDE8C05AA8F4C50776C9DC612A0,SHA256=331B9CAD932DFFC9DD17C4B028508C3D2360A463FF07D2B7FBCCEE7B3669E89A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.544{D694AEB8-0C28-60E3-790B-00000000D301}28604740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C28-60E3-790B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0C28-60E3-790B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C28-60E3-790B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.377{D694AEB8-0C28-60E3-790B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.144{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EFA72099A206B9428E74D106952372,SHA256=6E359B1228B613FD9643FF404E7C1E52247A64E053E83292DE62B74EBB4F4E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.060{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=490776EDB69868A5DFF567665E4485E6,SHA256=925833245FAB3BAB608C15046726DC0A1B694EC87DFDFC340CC9232934FF768A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.060{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDED70E7D93F14DA7BC7B2665411C5F1,SHA256=41F5D84219105B08E1CC5C191118258776BE29E4383133EC039CD53047266303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:01.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F734133DB19415AAF6539A5332693D4,SHA256=B6AFE9CFC6435A994234053F1E6D0888B7C36D68836612D30E28ACFF0DA91360,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:58.607{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:01.390{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=490776EDB69868A5DFF567665E4485E6,SHA256=925833245FAB3BAB608C15046726DC0A1B694EC87DFDFC340CC9232934FF768A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:01.190{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0C072FF56CC2E28DE32D45DBC69D80,SHA256=E58B39DF17A54BE8149F9AD0BAA66D04343D73F90DC387059F5584A9A9A6516D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:02.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EC88152B4126EE41533BF61F1B4FC3,SHA256=F6B1436848A1EDC688BAB75A5842AC11019BDF14B2874810A3479EF3287094F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.789{D694AEB8-0C2A-60E3-7A0B-00000000D301}58081872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C2A-60E3-7A0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0C2A-60E3-7A0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C2A-60E3-7A0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.559{D694AEB8-0C2A-60E3-7A0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.205{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EE147641BB157F255625D3F1236E7C,SHA256=837647177ABD487D2B7DDCCD1DCAB654D863DD98774391605EDF7AB903941C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:03.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483A44A695845037A5253F0389501B29,SHA256=8ED39AC92C0782CDA082E2A87F9AA6B158D392DDD3A3515F60C07648D20FD026,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C2B-60E3-7C0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0C2B-60E3-7C0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C2B-60E3-7C0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-0C2B-60E3-7C0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC949048E5E4CD5774B2E1C6006F76D2,SHA256=7BFDEED4990585868BDFA6B64F367115E5FB8DD08A76642B653ECDD51E7844CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.389{D694AEB8-0C2B-60E3-7B0B-00000000D301}51165688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.241{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C2B-60E3-7B0B-00000000D301}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.239{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.239{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.238{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.238{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.238{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0C2B-60E3-7B0B-00000000D301}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.238{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C2B-60E3-7B0B-00000000D301}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.236{D694AEB8-0C2B-60E3-7B0B-00000000D301}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.220{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7408119E267EAB735A7DE375238D9224,SHA256=3E18924EB61B3603FD1DFEAC054E99F3C6841387B31CC2CF3DF2F92CF4427C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:04.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2F8BEA6257ABFF2338F35257E39B54,SHA256=DEF0134D3F6C3C39B75A9089F5D4ED7EC35BB9068915544815CBF776F93A2EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.958{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C69A2C03BEB66F91763BF4B6F1317D,SHA256=486D5899928FC563581A4B5BF9BE43843CE5F74DB98CE7FB10F6E4F25D6F7B33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.743{D694AEB8-0C2C-60E3-7D0B-00000000D301}49966416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C2C-60E3-7D0B-00000000D301}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0C2C-60E3-7D0B-00000000D301}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C2C-60E3-7D0B-00000000D301}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.590{D694AEB8-0C2C-60E3-7D0B-00000000D301}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C8BCE0E0B0F829839206C36B2D2B9D,SHA256=00270E074E279EF68F9956CE0E758623F74A7DE8E39E0A9D2E9211524810EB8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:02.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54069-false10.0.1.12-8000- 23542300x8000000000000000400655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:05.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D25C1471B6724B788D0493BBF06711C,SHA256=E4F5720324FA1D2846DA379BBB390D4EB651F92C4FE64B3D9B4669ECBB29F654,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.450{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61096-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.450{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61096-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:05.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FEB26527F2CA5F138C181EE95C0868,SHA256=90E1997A860876A96104468C07B34735CFB4DF436AC5F65942D90A97D4725442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:06.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7221DEBD40FB876E4ECC92DEDF8F6CBF,SHA256=CC0791080A0C72E9ECC4455B7339F4D9B65117EA48F9DB9B02188D1236A207C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.586{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:06.274{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9248A0398E1AC416358665E0C84398D2,SHA256=D09C91B6F94271CBFF4291B27D6E2810D4BCDA4C75D66AD68CEB077540913883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:07.337{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73744059D905F479EFD80327126DCE7C,SHA256=DD85635A74BCC53D27E3D1981C9BC7D8C85C0572853436A8EF76DF1DA2227A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:07.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB68DF35624BE636622D9385BFE9AC3,SHA256=AD3D2BEBF5D812641C379C76D43353D0FF6B54AFDDA4FB2D88B2A29176BBA730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:08.371{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B959BD59F5E19AF6FA6388FEF3712CCB,SHA256=8B27450333A62E096275473C3434E96A1BF2DD882C0111318D7134ACE9B98B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:08.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7259DD23CCFDA4AEF8790596673E8DDD,SHA256=4BEEAE9CE15F70B08439A1E8AF55588B4BADB85973C1C0C04D2F5F3CABDC823E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:09.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3825F7063FF625A5DFD36F3807722B1B,SHA256=05CDE41B01A9EA1459B4FF39709561882D43E379ECCB9F682CD39A8D23F1EF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:09.401{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C043DBC24DE8679BE2703C51BB4E4E,SHA256=35B649CB60F5B6E2B32E1D210276FDF645FBE3DA8F08B035AA04E3E50D56AABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:10.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B81A92E594EE8F9C6FAACCF5E6C3D1,SHA256=F4AFD0B7DDCA12DD314030A97472FB2C7BE3D4D267337685105E6847FEAE297C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:10.415{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5A3D665938E4077FAC52EDABB397E4,SHA256=2D6248A90F53DE862D4AD186DF759D219DBAE4C2A29EE19E5F79E91EDA81111B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:08.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54070-false10.0.1.12-8000- 23542300x80000000000000001455899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:11.432{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39CB4ED4570CD19AF83E8F3B6F7EB5B,SHA256=50C17F71C177778BF98C3DC74865233759E2759D9766B7D8F5A703DE3E313DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:11.671{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F505225E5DDCA3B97B71030A72EBF5,SHA256=2021D60948D1A241460B0CD23C29BABB038DD95167052DAF77707998EF702E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:12.703{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905A984968CBCEE9E97665C23420AB64,SHA256=2C5B1AFCC0A9730A0383F06DCD65C8E3428E1D662A4F3789AF6DFE447BE8194F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:12.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDFDC77BCAB25201EB29880B592D84D,SHA256=586A1797094C88C8DB9F4513133346F6DECF75D69E49DB5B9A8CFE7217C28049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:13.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1188B64995DDF569106B58BF208B3778,SHA256=482BFA1F49CD596F61BFE32966699D2C99EBE562A2A5183404570976A137A583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:13.496{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FE07CF3D167ACCD8CAA4E4DEA07D9D,SHA256=CA3A29AE4BD496DC5E994143144FD5684F43710264303EC1810FAE2147BE3F79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:10.598{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:14.968{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26E884B3F4AF5D22BA8C26B2A7437EA,SHA256=A756A65D21C01F2A00745A42EDD025B887A96942C31FD02FEF2A9ED231B4014A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:14.611{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=844950F5431A8880AFA9E8233A8DCC04,SHA256=2EA5DF00C95CB0498434545F12A45BCBAEEF275EE1A24D2992EF3971447F1D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:14.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3732EAD1E0AA00AF397FD8296D83948,SHA256=3A30260477792F71EC80B2C6F091E3A52740BC62658992710487E4290EEDDB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:15.984{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C97F5B8E7308946A106B7F3AF8A5B14,SHA256=E0F0086B58E46D33C1DDA6C48B7919260465FB5BC7CC7075673EFF3962CEED51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:15.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1ED45996B8AA3DFFAE4F8203D7C6B1,SHA256=6B47E1E203169A6FCB2B47475F53C4B2A0A66245661EA61DA0B5AB3CAE3B258B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:15.468{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FC714E6162493EA2A8AF3A282FEB57,SHA256=4D5C52FBA4ACE731571D5B907816E65C42B0EF73ABF1F99528A3B0A664A315BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:15.468{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AB7AB11043ACF493A70DF90A727FE6A,SHA256=02BA8B6D51BB78016F8E7BDC94E88BE3CBED7F8E8267696DF2608426E4694E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:14.354{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54071-false10.0.1.12-8000- 354300x8000000000000000400666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:14.192{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-44059-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001455906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:16.563{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEC9E040F1CA0D34C0FBBE49E6B204D,SHA256=DC10DA11AC346893698FA83C94FF5D55B9B0D20A7F9201C0AD48A0AE24DB05EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:17.578{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98A5412DC0E9EFE61F207EDE91FEED5,SHA256=8561C1A5B6FD211E73FE30AAD5055E62F76BCCF91B793ED36C87615E284F61DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:17.046{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7316579CF07E6329946EB4083C336EAB,SHA256=EA60CD09AB7118C98828210EC8EC49AA4AF04465C73BBA31729FC7B5317AF72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:18.592{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC734ED2CDD046F94E6B58FB8653D962,SHA256=D7BF1F94B313BEEE88FDCD1E61B5632FB2CF53E464B9725C7BAB624F7832A84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:18.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E72327A419C387C5AF80296384A5C1,SHA256=FFBE2461B6AE4AA082789D0F50AAF9E9DED746ED302BC32CA05D974896225096,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:15.610{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:19.607{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9339D6D2B4B0C078EA79CE38C563C8,SHA256=B7D65DEDC4B75A07A314C4E383A24D3C82B873100ABB7EC1B4C2417E01EA770C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:19.218{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82B50F26AC764CEB6951F06FB9CD347,SHA256=1B4811A882583D3A75E4EDA5E2A93851F5A17E933777C10F406AF02E7FFB5424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:20.624{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59B80F3B85E41D97B110319FF5A4AF2,SHA256=FC1C96C9E65FEA2D8AF95565736DAEE0FC04C8EAB46C1904C27D3553B97178F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:20.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5E95948B9C95EAF4B9E2545EC2EE4E,SHA256=A49DEBDE7EF5F9A712F8BD283E6C96D418D2DCA588779E382472E96190BB37B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:21.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF3B0E9B0FCB25C19368989C184E286,SHA256=16B61F4442254C131DEC868F903B5F13F53AE03697E85766530BEBE2A67A9B22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:20.353{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54072-false10.0.1.12-8000- 23542300x8000000000000000400675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:21.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C079DCB508189F0D8D791879F8DB54A,SHA256=75D439867982DA0F10FF012FF324921B4D7A75C083792C0216E9E349DCD0E498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:22.657{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02146A0B342990CEA62026CA99F9D9C6,SHA256=1EBC9C8DD1FB661BC81ABF47492A2AEF6DF335CCB10DF285D432D07A53C19856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:22.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AC1C715F51139CAC2F9D29C8C87C2E,SHA256=BD5C160ADED136C7B0D4600598A448A30DEFBB9D894E94C61330DF53D00A6E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:23.707{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3058E3EF15766FF6F42860CBBDB3CB8E,SHA256=5BD185A5010DEE579866B0099C588EBA844F8A65350CEC3CD2B5DE78121BCDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:23.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCC72FF0688012DC3CE4327C3FCF14D,SHA256=2D3343023FAB6B3D143166D10D9DF3B1CDFB196D906B252E9AC0069B22E4B960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:24.743{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0294F5D83E561081E6AD687CC00E7B3,SHA256=6C27B1D238D6D009FC97ED8F3CD898DF91DBC6DC67E6FC62F41B67AB3F3C5C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:24.265{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59DE082689E779A6F9C41C5CBF30278,SHA256=FFCF9FABD1335A09C784CBC6BAE6C5470700617197D385ED96C5A6C6B895249D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:21.604{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.858{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4879E9436F01B297E5E4DED102490F,SHA256=D92B87603B9F7EF404B983DA0A3E0EB3D2224E4EA86D929013750E2C905B6F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:25.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650C873396F035F556FE47CC77E8470B,SHA256=A80892B3177DC7B1E732488EFBD4101F119A7BE09A905570C778BEF88139BC14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:26.922{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F00FF39F3575E8BA47357B588021FC,SHA256=455229D5CD17192F3FEC8BAFEBF10DB82B5A32CA102BDEDD9210C1598E8AFFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:26.390{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CAAE02655081EEA6DD75679218CAC6F5,SHA256=A37A9179A438BBA8389F439EDB024B64711C2B2F852A0DDE871D05B2D7A85FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:26.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C50E3F86B66D1116BC2073E1B68EAD2,SHA256=FDA8AFC1A1C35C960B5BFE59F8F50CE8500C6BFEB08C96A1F72DE982EA2B4028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:27.941{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83917C32FEA4EFCF239BC768DAE28506,SHA256=B25FDD84AFA2521BFC94B41D6D9DB7518A887C63035C588B3AC81F970C3902EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:27.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C6C37AE1F502EE3A159B6FD817426,SHA256=8BC0E5CC1D7C8165AB5857A3D9630AAAEEC600590573A3BBCECF6AAEA98EFE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:28.971{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFB1AF8AC317DC10C4BE13782FA7D08,SHA256=557B388EA671C91BF4E546B2CAE86687D428311030E929CF7D4927DD2DFFF67E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:26.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54073-false10.0.1.12-8000- 23542300x8000000000000000400687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.312{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB034550129E24AE5EFA3E8981DE2BEF,SHA256=4C1D9DA571C575C5762D27DB3CC6A3C1105E5B650BA95EE576FD0DC8234300AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.250{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.250{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.250{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:29.828{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=904422C45F7C84E978E964094175438E,SHA256=4E52A127F0EAFABE38298903EBA1A87BFFF953139F7266E2D39FEF540F2AFFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:29.828{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FC714E6162493EA2A8AF3A282FEB57,SHA256=4D5C52FBA4ACE731571D5B907816E65C42B0EF73ABF1F99528A3B0A664A315BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:29.328{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE02428295C95E008160CA987645AF8,SHA256=69B91E58D5159899F961A06FC4C0CF0DE9B5B4BE8264D3303875FEB7D6708422,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:27.569{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000400693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.724{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53358-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000400692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:30.343{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD086CA54305473AC841626EC1EF01C,SHA256=2D3C234F4FEA87401F5DEB59C8661A236A6202EA3A9926DEDB677DAD63309F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:30.786{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:30.001{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907508B91841A60FE7FC439F3408231B,SHA256=868F2103FCC387DB8F4D7F5DAFC1967E2F1F52D40CC4AC35D8CE7058BE88CA8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:31.453{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:31.343{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C3ABFDCAA084D87BE6A777E6856129,SHA256=553FA8DEE7F8F565E63A5E54292B26BBC4D62E6FE80801013F70CA0F171CB296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:31.019{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E356F09E879330CD25219F12ACECFF4,SHA256=F02A8496B751D1A4134A3D3453440BF7CC0C4384B39DD2F06FA05799727083DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:32.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55742DAF8029AAC610254C66DB93D006,SHA256=778B0B12173BB7C471FDAEA40113F07171E49B58C5853BE3EBE2FE4129E2B981,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:30.217{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:32.037{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A1324320A70AE434D1660C85BFC1DD,SHA256=6A0C6018B9FEE4F62EAEB63CEDFF47BAC79C4DFA7B6390210A9A02276B92EAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:31.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54074-false10.0.1.12-8000- 354300x8000000000000000400699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:31.650{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54075-false10.0.1.12-8089- 23542300x8000000000000000400698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:33.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE87E3F9EDB47A607270251602288EAE,SHA256=A8D93FF24997DBA1DCDA6698A01C30848AF6294D65756934AB79B3528CD54A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:33.052{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6C86E28F5A30B35118AC8A219E5594,SHA256=115F9A2FA71D105F11D443EF3BA51A3AC0B02D31ADE6D9EEEBE23D75B7774646,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.703{7F1C7D0B-0C4A-60E3-E60A-00000000D401}6523896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C4A-60E3-E60A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C4A-60E3-E60A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C4A-60E3-E60A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.517{7F1C7D0B-0C4A-60E3-E60A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1735152E22B9E08733ED59A4EF1B9F,SHA256=802D630F115E6A4D8FCC7637C190710DC5E3F376B08823976CCC7A3411E0F32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:34.081{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5825AA466B80B659164924F5D87705,SHA256=0CA2B3583EF3DCCA5C27305A3704D45110512178CB6D8DE4FCDEC8E5B2F538E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:34.050{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7CB48C532A85D953DF83C758E8913755,SHA256=59BAE2FF9756E4095744CD37236F88DCF2EBFE4C2E8D9A16D4A2FBC1AFCC769A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C4B-60E3-E80A-00000000D401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32