23542300x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:51.473{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234E7960897DE84444F76369D7E43108,SHA256=8CAF853DFF9EAF5244831768CA5EA0B2B84CD640D4533DCCBB8A5AC17CCFD651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:51.045{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5AE3C954CED52E432B122D7F56DF04,SHA256=9AF3E04B89AC4D7A2EC137FD6F85FBAE1577AF8D8B1D503523696A21D55C732C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:51.095{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=28178D03A7FD07A2D5FEFD42A5217354,SHA256=FF40020F56F785DD02779BDCA5394EC31F44C8DCAA6E41CDC5BAA4F4850EB503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:51.026{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:52.185{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B980D731ECE29440577120F07602147,SHA256=4E6403569FD9A4481C8DC6E87295E9B6513E3D6B47B6EC8C85D1924850092B39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:49.100{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52203-false10.0.1.12-8000- 354300x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:48.921{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52202-false10.0.1.12-8089- 23542300x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:52.491{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191761ACA6369DE90327DA9F4A2375F,SHA256=D775DA78546A5532DD9CC96612208B84948DA2A75E2C216340788D5B5BB7D71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:53.510{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827D195636FF9942B5D7D2433DAEC0EE,SHA256=4122AA554833EB5FF73987DA8CD79B82288E053F4C8EA895A8164C59270F0946,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:50.761{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:53.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BF1F7E2BD15866965CE3124AB7059A,SHA256=26916604DE711FA15086B2EC954CAAB4E036F5154C7283686DF919124A9E0DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:53.263{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:53.263{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:53.263{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:54.420{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF95DC38FE25723A4A1ED7074B9BFC05,SHA256=773877A6BEEB355192E4F21C643552990EAF8BB8E703429B716779EC050CDFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:54.525{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004E4A341ED22BD9D314E41B516A5BA9,SHA256=562CACE6FBB7A408F198F5958B2223F127B4B345936E9585D3FBBBDFFF3D85B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:55.654{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF80174278285DD763C2545E89E2D68,SHA256=9DA46E45C159F01A7A2554C12610E1A9C7963D641165E952FAF1F3139A10F02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:55.540{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AC265297D5CD3352A40B39742EE0DC,SHA256=3689F77D1158B06242FB3E0072EB7470471AFDA49E52E0977B44FE82447DF523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:56.888{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF3EE57B6DD5FB87564DE3F187150FC,SHA256=ACC5625A2C7695C41F90F45C29ECF33FD3181D03C8FF87F12CA3424CA6C8A797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.855{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:56.589{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94A2113CDF516A19C7DB42A99A499AC,SHA256=AD81CCE81224FE89BCA0E7F07C862947620E53972B47C7C6065DF87CDC5DCF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:57.935{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A453D991CFDF36E69254AE657BE80D,SHA256=4388DEE9FEB333E8707E33A95A05FC3E7F9792E25730201F2A07D215C6A54106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:57.607{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B46C57749434C85C6A4E0E23E3E2BB5,SHA256=384A43559C89400FE9AE99F05A2F30165B3DB3D6B7CBE994C9990340552E3D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:58.623{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEA7C0D3D055C839B402C2A14212510,SHA256=7F50E6957E92C86967684EEB119B94274B01D9C676E4667E5B9C6A2B82B1D0B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:56.746{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:59.637{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28329024FAD6C97DF201A07C63F15381,SHA256=2A5C8860EFE88069FF4BDDB6FBF57C421B3DDB35D37EBBDEFB4B13A8C4AFE46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:19:59.170{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23771DDB657F135C490BA26D8ADB446,SHA256=2DC7BCC83755056EF246CB43B7A9FB99B40790178D33B1A34937DFC2EBBE291B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:19:55.049{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52204-false10.0.1.12-8000- 23542300x800000000000000025496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:00.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAD5BC6B548BAB119B9A3FB4897ED1D,SHA256=0FA8BD04990254B25C858E1365B55DA6E637E910800E39177BA4ED7E8F1EDDBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.706{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECF0FE1C2BA61DFE7C2E7FD9328490A,SHA256=0455C3223EBCB3A028DCE8E3B6A42A97D2D7D1A2CB9C31AB938E3D3CDFFB6A9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-B9A5-6124-1709-00000000F001}70045548C:\Windows\system32\conhost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.537{80A11F3A-B9A5-6124-1609-00000000F001}44045216C:\Windows\system32\cmd.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:00.536{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershellC:\Temp\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 17141700x800000000000000045360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:20:01.972{80A11F3A-B9C0-6124-1809-00000000F001}1796\PSHost.132742704005364625.1796.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000045359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.925{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3ydmc2ml.uxo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.925{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gqdlpmkr.hsq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.757{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23120C030D5E2ECBE86B953FDD3834B3,SHA256=150E4C8F027CC11B53D85FE2566F2D806F45EF6554E154A407BAFE18EE61A63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:01.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5013970C6150912FB6C5C8F65A0548A1,SHA256=A0D7DE9404708F7606E1B5D3E657B7C6197D591CFF343BEF835790929BF0E98D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000045356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.639{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gqdlpmkr.hsq.ps12021-08-24 09:20:01.639 10341000x800000000000000045355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.614{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.527{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C82AB87BEE153B176860E32796E221CA,SHA256=B707E4B33F2A8C501A4704FC2E572F3327B1B9FBDEB667CAC077BA0EC404B8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.526{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37AF03B05C8D43ABB3CA82A02A7F1D3C,SHA256=D3F99EB38DBD4BE3F5B6DBF1A8A51846CA96272D9C52570922A21110899BECFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.765{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE544B4A683B450821CBD5214E3F9993,SHA256=9CA641E5EFCBE4EF00E9C0163E18281D4BB9F95AC2EF4EBD4FBB42BBCDED9D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:02.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB08984C59DC29CEF3C8E0B9D0B2CF9,SHA256=EC35A4FA1B76AB81918A6F0DAAF669FC74FA3FFA53FF71C21FA27F801E66E0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.633{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=929BB6C52140CC41F8211E78956555B3,SHA256=D058E0B74305152002A743ED87CB68A4E7F7E461C97B4B73D5ED8A06B51979B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.175{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.175{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.159{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:02.159{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:03.779{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71F2B9849355B7EF75D922388DF05B7,SHA256=2DCAB6D6CF0AFDCDAE55B48F87A4C434649AFDF34EE61EE8C8CBD8DE133179D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:03.404{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69DE48CFF5E3AA112650E0D5E75257F,SHA256=5D0800A7F77F547F00A2D5D36DD884A1844E5D2B0D56EBDB25C0430F7AF8B030,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000025508Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000025507Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005da719) 13241300x800000000000000025506Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c0-0xd69b00dd) 13241300x800000000000000025505Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0x385f68dd) 13241300x800000000000000025504Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d1-0x9a23d0dd) 13241300x800000000000000025503Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000025502Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005da719) 13241300x800000000000000025501Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c0-0xd69b00dd) 13241300x800000000000000025500Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0x385f68dd) 13241300x800000000000000025499Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:03.279{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d1-0x9a23d0dd) 23542300x800000000000000045368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:04.795{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29CBDF7965C19C321482E9F221B1F58,SHA256=0B52545347B9CB301A28FE05DB35589048386EFD933BF9E14A2F7C54576B6AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:02.793{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:04.420{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C030CD6803DA0BC8238EE7268928227,SHA256=1639FE86497C0E374EB8DA22DE5649B072C629DFAA59118C5A150FBC950BD744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:05.654{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B62F35CEB49DC77CCEAB6FBD0D7B8,SHA256=985D4A92C35D6EAD5E7C8710992BD7EB4EA6F85B713EB677DC60ADCE7F64E70C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:05.847{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-9FF8-6124-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000045370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:05.810{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF2D061BF615C34B8A24162061FDEDB,SHA256=551E2836DD7595EA1E97C77D0FD03382DFEC6E80A3B6BC46CDE77CD0F20668BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:01.038{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52205-false10.0.1.12-8000- 23542300x800000000000000025513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:06.716{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57067BC13AB340D9A8EFF33C40F968BB,SHA256=B98449CC0193913C1B48C5C9395CB621C7540C87CB06AFC77870D88DBB539B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:06.862{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4875953713CD69BB8326A93741BED5C,SHA256=B2314144721D04DE70FF6157B94DADDCDF6EF85080D59D1B0D176A8FE51BE095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:06.862{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C82AB87BEE153B176860E32796E221CA,SHA256=B707E4B33F2A8C501A4704FC2E572F3327B1B9FBDEB667CAC077BA0EC404B8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:06.827{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1938D38A0138986B4D67904CA7AC32,SHA256=68207B7890B91950E52B1F350A9E7F21F07349AE60E337DE6F2B6EEE4CB203F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9C7-6124-8506-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-B9C7-6124-8506-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.826{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9C7-6124-8506-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.827{D371C250-B9C7-6124-8506-00000000F101}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:07.732{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D95CF5B4CF5EBF4CBA14AAE2A5840B,SHA256=932A6C8CBA9D1BCEB11B36ABA0AE798E3B71EE50AA205C63716FEE5326FDBC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:07.846{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36D1384B0915E257529C54DDC1643C9,SHA256=0FD1A5FC0A7DB6DB9025FBEDA8ECF0B2EC855DC2C1528B985731C0BB397CB960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:07.608{80A11F3A-9FFD-6124-1600-00000000F001}12962252C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:07.608{80A11F3A-9FFD-6124-1600-00000000F001}12962252C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:03.758{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52206-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000045375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:03.758{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52206-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 23542300x800000000000000045383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:08.861{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954FF6E6038D771126F9ADFD524886B5,SHA256=7F32BDD963D0BB182FA1D0E3AFB8D034E4A834DD1EE5F68998D2F5C000D89EAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9C8-6124-8606-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-B9C8-6124-8606-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.420{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9C8-6124-8606-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.421{D371C250-B9C8-6124-8606-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:08.563{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-106MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:08.408{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0459BB8BF1CA6F0C0FDBB476CEE70395,SHA256=A27937B49037D2F1F4ACB01D3D94AC61962DCDF46EFE54944C7CAD80EEDE4FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:08.308{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E8FE732A60D7FFC857B2C5297D80FEFA,SHA256=7BDA6B6C2D44772ECFB80B19AC739A73A7BA525AED2BFACE69B52457DBCF1453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:09.878{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5847D4700D2E2FEA8C3C2B9D739C3517,SHA256=C14F83CC0B05EF0D981D19AF7C5FFBBBCFEDC349655DF2369ED4CD6519B4F9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.295{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2025FECD311D844EF2BA5FAB5F0B1A25,SHA256=B65684FE61445B02412F2D8DBD5AE731FDC9379B6F864BED42723F0BB30A5053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.295{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7545D67E0D6B74E77EFF36060F6FB3,SHA256=348B964A90D07297BEBE4AC8DD5CB1659D4F27CA4FE02992C7512D411EB3B2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.295{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FB0BBE38AA22A50E8A784ED9E8D1B3A,SHA256=CC7685079A6452428AD129075B162A2DBDEFAD8B60A7A5E1D7177D81ABB530A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.248{D371C250-B9C9-6124-8706-00000000F101}12243464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9C9-6124-8706-00000000F101}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-B9C9-6124-8706-00000000F101}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.091{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9C9-6124-8706-00000000F101}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:09.092{D371C250-B9C9-6124-8706-00000000F101}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:09.577{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:10.909{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0899DDE9A7F414D92E40942C1371B0AF,SHA256=3621D91A0CAD38423B772B28DA7F09181B9FE1C6510BC536CB9BD2A33635341B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99A1A2648EDD12925C95366E5DFCA9D,SHA256=619923AC0E5D339BE8089D1F272BD9D6E1577275546C0048CEA45A328AECAED5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.190{D371C250-B9CA-6124-8806-00000000F101}32643600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.112{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2025FECD311D844EF2BA5FAB5F0B1A25,SHA256=B65684FE61445B02412F2D8DBD5AE731FDC9379B6F864BED42723F0BB30A5053,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:06.055{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52207-false10.0.1.12-8000- 10341000x800000000000000025570Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9CA-6124-8806-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-B9CA-6124-8806-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.018{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9CA-6124-8806-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:10.019{D371C250-B9CA-6124-8806-00000000F101}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:11.930{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18AC44EABC3AC95DD2E846CC11BA5D7,SHA256=45F29792A3BE8CA6169EE5247B31695689CC408AD6507889C9E0EC7A71ECB5CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9CB-6124-8A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-B9CB-6124-8A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.799{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9CB-6124-8A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.800{D371C250-B9CB-6124-8A06-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.315{D371C250-B9CB-6124-8906-00000000F101}39043176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.205{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13857D2B6C0FC6CE8C27830CAFDF3596,SHA256=8D0148FE837DE6421E1D9AD47A95658E36C06653CE7B8DC89078BC92C366AB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:11.677{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B2A1002B406F55B1C13C7CF32D1958E0,SHA256=A8C54F9C4BE49BA191A247C37DC4CC43ECB8E8E586CC70BD6EBBEFCA18EF61A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9CB-6124-8906-00000000F101}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-B9CB-6124-8906-00000000F101}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.127{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9CB-6124-8906-00000000F101}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:11.128{D371C250-B9CB-6124-8906-00000000F101}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:08.715{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:12.945{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824B7EFFF146EE9089DECD3EBB7148C3,SHA256=9BFB5B609D3D02C787DA484DA2BA6BF5BF90F81E7C9C9B47E42947EB547B589B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-B9CC-6124-8B06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-B9CC-6124-8B06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.299{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-B9CC-6124-8B06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.301{D371C250-B9CC-6124-8B06-00000000F101}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.221{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79885DADF7920BC866D9880912C2FA15,SHA256=06C222D820D1830745DE0630A0FDFA82D3C283711CFAD0590953CA879CC23957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.127{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE0F4935C36BB0BA0F919BDED0095C8,SHA256=F2C443339A6AE0E74E6270CC4DFB1653FC366B84D02E5E8B4D8CC5CDB3EC0607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:12.033{D371C250-B9CB-6124-8A06-00000000F101}2564648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:13.976{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34739C0614265B2FE36E7E4B395DA715,SHA256=92A57F866882DD166F90FCE9A475866A73164FD73B2D82A51343DCA760E018E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:13.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A70487DD7417A428E00F007489D241,SHA256=6C2C414178916DAE313189B46E3A8A0F0EEC2446C7530B26A99FB8BA2ACCA21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:13.315{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38216060E3FF7D2B5002133BE07889BC,SHA256=E66A215ADFE86117596FD8ACDD4779D14E94DDB3FA8A65931B298B4BEC43F3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:14.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CB10F02EA1F08C849BDE6F18B8B70A,SHA256=4C732BB36E9E4094D171F92097DDE15440A029DAB8E77120DD19BE42AFBC6C54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:14.644{80A11F3A-A44E-6124-D004-00000000F001}41601456C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:14.628{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:14.628{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:15.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E1AB647802C6B06F4B593B3D4E048E,SHA256=3B805A608DC7FD7F09EA8DC7718883839DD1BF8D260F433F3EE0C3092F1D953B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:11.116{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52208-false10.0.1.12-8000- 23542300x800000000000000045395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.006{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BE10501DBFE4E8D9B12E57220F6910,SHA256=3DADDDDDFE5B4C99D3FB8265C96B54D6B1341DD2BEEFAFB4292F12CCCDC6CF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:16.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FD704BFB5CFE5553E2736523A82F65,SHA256=C557C2ADBC7735EF38BDE2AE05EFAC30705E2F4AA6B97A276996D3D755253751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:16.007{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D687507A80FF3F78919A257D5CAEC9BF,SHA256=565038994201485E58D5E044D00B04A56E03D0529F5B9EC88556043B8DFD97D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:13.782{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:17.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4FA0B978294DAE8760926BCD5503D6,SHA256=FEE8384D12F245C334F7E7DACCEEDBDCBC32BD06F9250761DDBE288AA52AD4C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.644{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.628{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.628{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.627{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E7779DD3A4EE4D858DE931A4B08A88,SHA256=A4F797011C16650912896A679B87E41ED7460D11195AB33D8F7DBA6F79831017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.626{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4875953713CD69BB8326A93741BED5C,SHA256=B2314144721D04DE70FF6157B94DADDCDF6EF85080D59D1B0D176A8FE51BE095,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.607{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.044{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D88B7CA6C606DE243A9D04E4C320C6,SHA256=4CEBA6CC8E974B41BEACC523A795169FDD8FEB39D5E6EDE690AF1F23BDF194A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:18.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202E087E7C0776204DF2630ACFA7609F,SHA256=9EC7A8EAA249E6DB9E7DE387231A174CE4B3EBAD09189CB34E6BEAC4F26D18D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.959{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000045422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.675{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BF-6124-9706-00000000F001}5788C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79899|C:\Program Files\Mozilla Firefox\xul.dll+e7ad5f|C:\Program Files\Mozilla Firefox\xul.dll+1195606|C:\Program Files\Mozilla Firefox\xul.dll+e766dd|C:\Program Files\Mozilla Firefox\xul.dll+e5e5f0|C:\Program Files\Mozilla Firefox\xul.dll+1ef0312|C:\Program Files\Mozilla Firefox\xul.dll+1a31108|C:\Program Files\Mozilla Firefox\xul.dll+1a3327f|C:\Program Files\Mozilla Firefox\xul.dll+17a86d7|C:\Program Files\Mozilla Firefox\xul.dll+1bdac45|C:\Program Files\Mozilla Firefox\xul.dll+16e9761|C:\Program Files\Mozilla Firefox\xul.dll+1b7ebc9|C:\Program Files\Mozilla Firefox\xul.dll+17a5738|C:\Program Files\Mozilla Firefox\xul.dll+1756d76|UNKNOWN(00000320DE9D1E84) 354300x800000000000000045417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.520{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55060- 354300x800000000000000045416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.517{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58415- 354300x800000000000000045415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.187{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58242- 354300x800000000000000045414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.185{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61048- 23542300x800000000000000045413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.075{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE53F349DECFFD3CF9E1A5C7F796167,SHA256=F109B284E462B52A36ADC50148ADBAD889B2861DE49AD0F9055D6346BE954C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:19.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290F260F73B67F4E8DAB3AE4E7A9CD1,SHA256=1FEB0F11DD417377903E76E7C812585E1CC9786901D8BF2CE90946EC58D10336,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.609{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52209-false3.215.161.145ec2-3-215-161-145.compute-1.amazonaws.com443https 10341000x800000000000000045429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.374{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.374{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x800000000000000045427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.523{80A11F3A-A5BA-6124-9206-00000000F001}5540analytics-collector-28944298.us-east-1.elb.amazonaws.com0100.26.82.72;44.195.138.131;3.224.104.154;3.215.161.145;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.522{80A11F3A-A5BA-6124-9206-00000000F001}5540collector.githubapp.com0type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;3.215.161.145;100.26.82.72;44.195.138.131;3.224.104.154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:15.522{80A11F3A-A5BA-6124-9206-00000000F001}5540collector.githubapp.com0type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;::ffff:3.215.161.145;::ffff:100.26.82.72;::ffff:44.195.138.131;::ffff:3.224.104.154;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000045424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.105{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A5B0406C2CED3C368D4F9393CE5543,SHA256=CC3539B654109E4E3D0CB067E388E8F0F60D41F748BC1136EBFD838EC051D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:20.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEF0B5EFA14C9C8BBC4AA899BBF464C,SHA256=5B839DFD0C0F984E03D310F540A18BA76CCF7466AE371862A4BBFD1583200A57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.738{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.681{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BF-6124-9706-00000000F001}5788C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79757|C:\Program Files\Mozilla Firefox\xul.dll+8dea37|C:\Program Files\Mozilla Firefox\xul.dll+8d2f14|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.674{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+27aead8|C:\Program Files\Mozilla Firefox\xul.dll+279fe1c|C:\Program Files\Mozilla Firefox\xul.dll+c271f1|C:\Program Files\Mozilla Firefox\xul.dll+2796eed|C:\Program Files\Mozilla Firefox\xul.dll+c2e536|C:\Program Files\Mozilla Firefox\xul.dll+c276bb|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c292d8|C:\Program Files\Mozilla Firefox\xul.dll+279815e|C:\Program Files\Mozilla Firefox\xul.dll+2797ef4|C:\Program Files\Mozilla Firefox\xul.dll+c2f792|C:\Program Files\Mozilla Firefox\xul.dll+c29539 10341000x800000000000000045440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.669{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+27aead8|C:\Program Files\Mozilla Firefox\xul.dll+279fe1c|C:\Program Files\Mozilla Firefox\xul.dll+c271f1|C:\Program Files\Mozilla Firefox\xul.dll+2796eed|C:\Program Files\Mozilla Firefox\xul.dll+c2e536|C:\Program Files\Mozilla Firefox\xul.dll+c276bb|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c292d8|C:\Program Files\Mozilla Firefox\xul.dll+279815e|C:\Program Files\Mozilla Firefox\xul.dll+2797ef4|C:\Program Files\Mozilla Firefox\xul.dll+c2f792|C:\Program Files\Mozilla Firefox\xul.dll+c29539 10341000x800000000000000045439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.665{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.657{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\cache2\doomed\18200MD5=0C58E9CFD1C20412019928463563193C,SHA256=F2F26AC5848DF1C00C361EC9958FF169A2F29C142755285AC9C5B81CB3CCA116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.657{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.657{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.645{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.641{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.641{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.641{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.126{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11734243F9B8629B69F8F7CE849C877,SHA256=0856AFD2B264436F2EC0EC1A59476E622A203AD84FA22FE75A32F203A7DB799F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:19.688{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:21.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857D1D55313DA4D92CC3C3FA25989F4D,SHA256=80473A661089A18750EDFB7346A5F976DBFAEA36C9C2F4F177FA1C2A91A5AC1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.859{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local51695-false172.217.23.110mil04s23-in-f14.1e100.net443https 354300x800000000000000045457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.858{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51747- 13241300x800000000000000045456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:20:21.974{80A11F3A-9FFD-6124-1000-00000000F001}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d798c9-0x438af1f0) 354300x800000000000000045455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.522{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local53069-false142.250.185.195fra16s52-in-f3.1e100.net443https 354300x800000000000000045454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.521{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53218- 354300x800000000000000045453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.520{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58587- 354300x800000000000000045452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.518{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53068- 354300x800000000000000045451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.422{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61503- 354300x800000000000000045450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.421{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63066- 354300x800000000000000045449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.421{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54020- 354300x800000000000000045448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.283{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55178- 354300x800000000000000045447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:17.114{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52210-false10.0.1.12-8000- 10341000x800000000000000045446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:21.141{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+27aead8|C:\Program Files\Mozilla Firefox\xul.dll+279fe1c|C:\Program Files\Mozilla Firefox\xul.dll+c271f1|C:\Program Files\Mozilla Firefox\xul.dll+2796eed|C:\Program Files\Mozilla Firefox\xul.dll+c2e536|C:\Program Files\Mozilla Firefox\xul.dll+c276bb|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c292d8|C:\Program Files\Mozilla Firefox\xul.dll+279815e|C:\Program Files\Mozilla Firefox\xul.dll+2797ef4|C:\Program Files\Mozilla Firefox\xul.dll+c2f792|C:\Program Files\Mozilla Firefox\xul.dll+c29539 23542300x800000000000000045445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:21.140{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5682676EB52EC65DE8BD29B3DE3E160D,SHA256=27BCC557FD042C70EA243DD17F8103CB168D171A5122808C111FF1C66324A072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:21.113{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:22.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77F8AC3722A39C9387581422ED6CDD8,SHA256=276EE8815953AD279DE75D29A4CE1348EF869A49D9A1407C11AEF21A9C1CE670,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.094{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local55189-false142.250.185.66fra16s48-in-f2.1e100.net443https 354300x800000000000000045467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.068{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55188- 354300x800000000000000045466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.066{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53207- 22542200x800000000000000045465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.861{80A11F3A-A5BA-6124-9206-00000000F001}5540plus.l.google.com0172.217.23.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.860{80A11F3A-A5BA-6124-9206-00000000F001}5540apis.google.com0type: 5 plus.l.google.com;::ffff:172.217.23.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.528{80A11F3A-A5BA-6124-9206-00000000F001}5540gstaticadssl.l.google.com02a00:1450:4001:810::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.524{80A11F3A-A5BA-6124-9206-00000000F001}5540gstaticadssl.l.google.com0142.250.185.195;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.426{80A11F3A-A5BA-6124-9206-00000000F001}5540www.google.com0142.250.185.68;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:18.425{80A11F3A-A5BA-6124-9206-00000000F001}5540www.google.com0::ffff:142.250.185.68;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000045459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:22.203{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4690574327DC13CB1B67F5E34E833AF9,SHA256=DF03C1DA7F3DEE4209D9ED6295E6B1F3F875629DD7C2AD86BB9ACE22422CBA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:23.658{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8911DA9D1A786FBE04A6F0D059EA7FCA,SHA256=24D2A67DD90CBFD41D1707CC9962ED32C07EEA003D2B01B1216F320BA4436A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:19.403{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58590- 23542300x800000000000000045470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:23.687{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=4C19C1D4D846E61515B6EBD2BFE0C394,SHA256=7A2966126E883B7AEFAF001DB669F84DDB9D18F9ADBCF4F495C6C691F7A4E4EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:23.337{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F8F2CED1220D0E05E36C2403A7581,SHA256=A7F4A103EE18F6CC1C00610EE7892B1FCBDF193C52080BD5146394317B9C00CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:24.894{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779A2721BD007A6AE8F648BB910DF7AA,SHA256=E4CAF9BB719C9470779E50CC0D54323737EFC1D273F8D548B2C449A7894B3FF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:20.469{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53530- 23542300x800000000000000045472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:24.349{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95C56D84CD4FED19777AD76944D67EA,SHA256=F0825C7C4779E05389BA37B0ABCBF8BF94BB48F8ABCB2A93A2E263FBC7A09ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:24.740{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-099MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:25.754{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.912{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9D9-6124-1909-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.910{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.910{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.910{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.909{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.909{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-B9D9-6124-1909-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.909{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9D9-6124-1909-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.908{80A11F3A-B9D9-6124-1909-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.359{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065162961F11269404967325D0744F86,SHA256=B26CDD362960617F511613D1ED3C6FD2DAE88A79F24ED61C4DEA7829589752E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:24.690{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:26.127{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C9629504CA2E1609BE63B0FC9F1F09,SHA256=E759D5A71A717C14AEA05BA3CC55F3328D801A3956FF842C5AD6712711ECCD35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.951{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DA-6124-1B09-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.949{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.949{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.949{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.949{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.948{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-B9DA-6124-1B09-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.948{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DA-6124-1B09-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.948{80A11F3A-B9DA-6124-1B09-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.915{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DFE7C69CA0EEC7D0042D6186E00A5D1,SHA256=23668A552A98D7740A36098F3550CD4DE64F54AA795CC0792281EE469A1C6F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.914{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E7779DD3A4EE4D858DE931A4B08A88,SHA256=A4F797011C16650912896A679B87E41ED7460D11195AB33D8F7DBA6F79831017,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:22.924{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52211-false10.0.1.12-8000- 10341000x800000000000000045491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.431{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DA-6124-1A09-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.428{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.428{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.427{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.427{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.427{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-B9DA-6124-1A09-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.427{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DA-6124-1A09-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.426{80A11F3A-B9DA-6124-1A09-00000000F001}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.364{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39EB077B9A8863A6246AF36F1592AB7,SHA256=44FF97A1D6310E23053B0D3ECCC26378416F6337878989020DD76BCFAFFFAFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:27.348{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4C9B9BF38828071DEBBD2A9DE2470F,SHA256=42D64BB84969EA1D676B01AAAED8B1F5061C49195BBF96110DE0DBCD3DA50610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.981{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DFE7C69CA0EEC7D0042D6186E00A5D1,SHA256=23668A552A98D7740A36098F3550CD4DE64F54AA795CC0792281EE469A1C6F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.504{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\permissions.sqlite-journalMD5=6F4FA778793DBEB159C4CD468C4F78FF,SHA256=B347E506F2EACB9895B15D51D5A9C75DFE77B3D864E28A874E9D8EACA2A1CB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.380{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308030657F7D7FD919D4C9623EBD0D43,SHA256=468C25823E6C611E61C7C98EF2FA39DE3BAC7B52A1D8F380D540E0339B8B2DC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.164{80A11F3A-B9DA-6124-1B09-00000000F001}61927132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:28.410{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B26B5919F193ECD1057BF82715FAD36,SHA256=A7FDA746A3BF567C6B7F18E72A7EB192A0437F4A65DD76589323B9D18990D41E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.893{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52215-false192.0.76.3-443https 354300x800000000000000045539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.893{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52214-false192.0.73.2-443https 354300x800000000000000045538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.887{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58934- 354300x800000000000000045537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.887{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51722- 354300x800000000000000045536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.886{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62399- 354300x800000000000000045535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.876{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62336- 354300x800000000000000045534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.873{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52213-false142.250.184.234fra24s12-in-f10.1e100.net443https 354300x800000000000000045533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.867{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55911- 10341000x800000000000000045532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.844{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DC-6124-1D09-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.843{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.843{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.843{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.842{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.840{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-B9DC-6124-1D09-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.840{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DC-6124-1D09-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.840{80A11F3A-B9DC-6124-1D09-00000000F001}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.560{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52212-false104.145.225.3pandora.digitaldatacenter.net443https 10341000x800000000000000045523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.570{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.423{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.422{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.422{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.398{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D84AD1D5AADD7F98EC5117075BE8F2,SHA256=3C8989C33D4334A8D6F4E80FEA0D94CC511D49A15035519949CFC3084E01D190,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.392{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.377{80A11F3A-B9DC-6124-1C09-00000000F001}50487080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.282{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.281{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.175{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DC-6124-1C09-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.173{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-B9DC-6124-1C09-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.172{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DC-6124-1C09-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.171{80A11F3A-B9DC-6124-1C09-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:29.441{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442C271363A9B287CA43F6381A89C9AE,SHA256=9765A77654D789E8EFAEF95299F0C8B186F1EEFB469D3FC5F03B1E414F3A91A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.726{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52222-false93.184.220.70-443https 354300x800000000000000045588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.725{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local56450- 354300x800000000000000045587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.722{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60321- 354300x800000000000000045586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.646{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52221-false192.229.233.25-443https 354300x800000000000000045585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.567{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61058- 354300x800000000000000045584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.473{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52220-false104.244.42.200-443https 354300x800000000000000045583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.462{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61008- 354300x800000000000000045582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.316{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52219-false192.229.233.25-443https 354300x800000000000000045581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.312{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52218-false192.0.76.3-443https 354300x800000000000000045580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.311{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local59883- 354300x800000000000000045579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.311{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55561- 354300x800000000000000045578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.311{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63617- 354300x800000000000000045577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.309{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61749- 10341000x800000000000000045576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.679{80A11F3A-B9DD-6124-1E09-00000000F001}32005944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E958FBE4AA273E8842245622120CA7,SHA256=DA0A2CA50E69738BF8361FC1ABC412A1266D5436F847AD4978E24D9CD0748898,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000045574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.314{80A11F3A-A5BA-6124-9206-00000000F001}5540cs491.wac.edgecastcdn.net0192.229.233.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.314{80A11F3A-A5BA-6124-9206-00000000F001}5540platform.twitter.com0type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-eu.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.233.25;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.513{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DD-6124-1E09-00000000F001}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.511{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-B9DD-6124-1E09-00000000F001}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.510{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DD-6124-1E09-00000000F001}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.510{80A11F3A-B9DD-6124-1E09-00000000F001}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.308{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52497- 354300x800000000000000045563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.179{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52217-false142.250.185.195fra16s52-in-f3.1e100.net443https 354300x800000000000000045562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.178{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52216-false142.250.185.195fra16s52-in-f3.1e100.net443https 10341000x800000000000000045561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.370{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.369{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.249{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\permissions.sqlite-journalMD5=D276B07DB276625660072749DEFD2AC4,SHA256=A7A128768982AE24C3F68F02F119652F8E845CF6DA5E8EC62329FA6CC2114345,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:25.908{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local58935-false142.250.184.234fra24s12-in-f10.1e100.net443https 10341000x800000000000000045557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.242{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.241{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.241{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.180{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.179{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.179{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.179{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.179{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.178{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.178{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.178{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.178{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.177{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.177{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.177{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.176{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F50495ECF4C0B813268B2661AAFF421C,SHA256=D86634FDDE78B1AF3BA3CAB71D501111DD253A2C2497DA38CF6BD8B0A0F8EE36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:29.065{80A11F3A-B9DC-6124-1D09-00000000F001}42806184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:30.455{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035FA0E64EC77D46AEE5C04FCF37A915,SHA256=5861470E8C02BD84A8681B96EE911EA929EA1CBC5B69EE08628616F27528B797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.585{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60072- 354300x800000000000000045615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.584{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58753- 354300x800000000000000045614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.997{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52226-false152.199.21.140-443https 354300x800000000000000045613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.997{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52227-false152.199.21.140-443https 23542300x800000000000000045612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.603{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5263218C099DB4C818387753F075D1F8,SHA256=C2EAEF762B0EFEBC6B842056BFD6AFE53C04FBCCA75A01408711DA0F308709B5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000045611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.730{80A11F3A-A5BA-6124-9206-00000000F001}5540cs45.wac.edgecastcdn.net02606:2800:134:1a0d:1429:742:782:b6;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.728{80A11F3A-A5BA-6124-9206-00000000F001}5540cs45.wac.edgecastcdn.net093.184.220.70;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.316{80A11F3A-A5BA-6124-9206-00000000F001}5540cs491.wac.edgecastcdn.net02606:2800:234:46c:e8b:1e2f:2bd:694;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000045608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.517{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27B557D20709A81E9C9EC20A4F458534,SHA256=208EE5EC7C24EFB5CAF7A83B05F01DCFB77BB21A1546638CC3C025A1C42BDB34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.421{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.421{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.996{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local60027- 354300x800000000000000045604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.994{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52785- 354300x800000000000000045603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.945{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52225-false93.184.220.70-443https 354300x800000000000000045602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.944{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52224-false152.199.21.141-443https 354300x800000000000000045601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.944{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52223-false152.199.21.141-443https 354300x800000000000000045600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.939{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62315- 354300x800000000000000045599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.938{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58418- 354300x800000000000000045598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:26.937{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local62732- 10341000x800000000000000045597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.178{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-B9DE-6124-1F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.176{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.176{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.175{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.175{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.175{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-B9DE-6124-1F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.175{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-B9DE-6124-1F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:30.174{80A11F3A-B9DE-6124-1F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:29.844{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:31.470{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E66A049B0D09214EE3BB406542B7280,SHA256=87A5EB419C8901570F568B0EDD8E2AA8D1B1FC9A25E2CC247E5C7CAC9B9C3973,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:28.119{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52228-false10.0.1.12-8000- 354300x800000000000000045619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.610{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-391.attackrange.local53domainfalse127.0.0.1win-dc-391.attackrange.local58753- 354300x800000000000000045618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:27.610{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-391.attackrange.local53domainfalse127.0.0.1win-dc-391.attackrange.local60072- 23542300x800000000000000045617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:31.579{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D33949E6E7D65A9212841EB551813C8,SHA256=548CA2C60755F17EBD32D531CF466DDFAA25381190AB5D92784E781FF8CEE974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:32.689{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:32.470{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856AF57287725E68EC95F90C7A712BB6,SHA256=2129E5DBA8F47D9DCBEE9B69C3994F56418DC5E28AF8AC9EDD9F13F00A411C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:32.583{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B47E75ED5C8BB40A9ECA0661BD15FDB,SHA256=C88797BFBE3EA5AB1786171BBC07DF4F7E3C5A1B663E96B3861722AF04716512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025646Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:33.689{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6D6798584AB6A8FA7F28CF02601E87,SHA256=6DA8067A3E6632CB8EED961D5439E5434DD460E74CE84D105BC0D792EFAE28E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:33.586{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF6DC225FCEA7944A8D308DDD84B3DD,SHA256=EF49B3B640741179C2383B72693541BBF033E8CAA271B0AD2FEDDC9A2EFB0E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025648Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:34.704{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07762C4C04FCDAE2E16E96922FE8A552,SHA256=0A506D6838154CB3CD7942438E3D28447CC778F9D4FA9BBB980E8ECA37A4A2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:34.598{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C660E7278BDF833309E16CC0143E928,SHA256=74B7DC095FFCC2B0FB1CDFECA0260EC206B8DDA800A6666AD8B9A0D164EB95DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025647Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:32.282{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025649Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:35.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D70F5B8D7B327863E5E9CFA4DD766E,SHA256=8533D576D7F03B524D1ADECD2358CF131612B42F69D28835382FA98C1B802ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.602{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7795E51D40421750903A2EB41ADD781,SHA256=AA345CF3A8351A53B30E4FB30BF2AE5D178A3C9D173FCF565E9EDA94CA7A9A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025650Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:36.986{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F36CB9D4E2EB16E05162E76DF7447E,SHA256=DC53A8582550BAA8889BB627A1EB754602E717AD1BE8F2567381BEF455EAEF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:36.608{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514182324B7EFF8ED0B3CBA07F683929,SHA256=1A217EC830CF653FCF84C40942B6E3E8B6B192CC3376191BC5D8779F7B54F244,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025651Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:35.703{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000045630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.985{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000045629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.710{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.630{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1990343FCA8E391BB5E8BE8E5295A409,SHA256=87CD7C80905B6C852C570022F45368244DA9A7EE4592AC8AE5AB0D236FF078B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.390{80A11F3A-9FFD-6124-1000-00000000F001}4401684C:\Windows\system32\svchost.exe{80A11F3A-B94B-6124-0709-00000000F001}4252C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:37.107{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B94B-6124-0709-00000000F001}4252C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e75749|C:\Program Files\Mozilla Firefox\xul.dll+e76123|C:\Program Files\Mozilla Firefox\xul.dll+e65391|C:\Program Files\Mozilla Firefox\xul.dll+e66864|C:\Program Files\Mozilla Firefox\xul.dll+e68d23|C:\Program Files\Mozilla Firefox\xul.dll+c8e024|C:\Program Files\Mozilla Firefox\xul.dll+c8b227|C:\Program Files\Mozilla Firefox\xul.dll+296b50|C:\Program Files\Mozilla Firefox\xul.dll+2966e1|C:\Program Files\Mozilla Firefox\xul.dll+f9c735|C:\Program Files\Mozilla Firefox\xul.dll+17952e4|C:\Program Files\Mozilla Firefox\xul.dll+1793c45|C:\Program Files\Mozilla Firefox\xul.dll+c8d89f|C:\Program Files\Mozilla Firefox\xul.dll+278ee6|C:\Program Files\Mozilla Firefox\xul.dll+39f83e|C:\Program Files\Mozilla Firefox\xul.dll+d216a6|UNKNOWN(00000320DE9D3110) 23542300x800000000000000025652Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:38.126{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C136DAE9403995F7A2605645C29B28,SHA256=8415AFF151D3C547281FB036F1C7879DF99A9C150A983683B44244A181269FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.669{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E948AD1321D81EBEB691A1583E9CB4CD,SHA256=4F023C2C540F16772509F4FC6D93AA1AA433D3877AA8170B4DE4BD0F13C5C58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.668{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D430673AB684C419A70C2E673FAD8C,SHA256=5F6216DCEC0357481D72F09847FC6AE0FA64B63592CE6DB78E5ED09D4BD5601A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.648{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A809DD062276DA677773C0CEBB135C,SHA256=3887D8101AFCF056D86008101696B134D4A196978F4DA60A60F877AB5172B1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.248{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBD31A28A1BDDBA4C6BBA8773205358,SHA256=105A116DC5274706F4D86A5A4F9771841F00494EEF81D3794E4B4B69A93B7439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.247{80A11F3A-A5BA-6124-9206-00000000F001}55401504C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a25601|C:\Program Files\Mozilla Firefox\xul.dll+a86785|C:\Program Files\Mozilla Firefox\xul.dll+cff01|C:\Program Files\Mozilla Firefox\xul.dll+1a0b8a2|C:\Program Files\Mozilla Firefox\xul.dll+176639d|C:\Program Files\Mozilla Firefox\xul.dll+16954dd|C:\Program Files\Mozilla Firefox\xul.dll+26542|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+8d3bc7|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.234{80A11F3A-9FFD-6124-1000-00000000F001}4401684C:\Windows\system32\svchost.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.233{80A11F3A-9FFD-6124-1000-00000000F001}4401684C:\Windows\system32\svchost.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.221{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.220{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.201{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a68e78|C:\Program Files\Mozilla Firefox\xul.dll+a2cd97|C:\Program Files\Mozilla Firefox\xul.dll+a75619|C:\Program Files\Mozilla Firefox\xul.dll+e6e8d8|C:\Program Files\Mozilla Firefox\xul.dll+1a171f4|C:\Program Files\Mozilla Firefox\xul.dll+1a0b8a2|C:\Program Files\Mozilla Firefox\xul.dll+19e35b2|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000045668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-ConnectPipe2021-08-24 09:20:38.201{80A11F3A-A5BA-6124-9206-00000000F001}5540\cubeb-pipe-5540-6C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000045667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:20:38.201{80A11F3A-A5BA-6124-9206-00000000F001}5540\cubeb-pipe-5540-6C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.186{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.183{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5C6-6124-9906-00000000F001}2484C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79757|C:\Program Files\Mozilla Firefox\xul.dll+8dea37|C:\Program Files\Mozilla Firefox\xul.dll+8d2f14|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.183{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000045663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-ConnectPipe2021-08-24 09:20:38.181{80A11F3A-A5BC-6124-9306-00000000F001}1640\chrome.5540.15.123935828C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.180{80A11F3A-A5BA-6124-9206-00000000F001}55406976C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+1b9bbc|C:\Program Files\Mozilla Firefox\xul.dll+a2f2a6|C:\Program Files\Mozilla Firefox\xul.dll+a2a051|C:\Program Files\Mozilla Firefox\xul.dll+1a03c46|C:\Program Files\Mozilla Firefox\xul.dll+1a024e1|C:\Program Files\Mozilla Firefox\xul.dll+13705|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+12de8|C:\Program Files\Mozilla Firefox\xul.dll+a0c091|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000045661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:20:38.180{80A11F3A-A5BA-6124-9206-00000000F001}5540\chrome.5540.15.123935828C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000045660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-ConnectPipe2021-08-24 09:20:38.179{80A11F3A-A5BA-6124-9206-00000000F001}5540\chrome.5540.14.213904581C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.178{80A11F3A-A5BA-6124-9206-00000000F001}55402256C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1354cb|C:\Program Files\Mozilla Firefox\xul.dll+123998d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000045658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-ConnectPipe2021-08-24 09:20:38.178{80A11F3A-A5BA-6124-9206-00000000F001}5540\gecko-crash-server-pipe.5540C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.137{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e75749|C:\Program Files\Mozilla Firefox\xul.dll+e6763c|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.136{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.135{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a7471d|C:\Program Files\Mozilla Firefox\xul.dll+a69d3a|C:\Program Files\Mozilla Firefox\xul.dll+a69bf4|C:\Program Files\Mozilla Firefox\xul.dll+90e0ae|C:\Program Files\Mozilla Firefox\xul.dll+e6734a|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd 10341000x800000000000000045643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.134{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a1c78f|C:\Program Files\Mozilla Firefox\xul.dll+a69dd8|C:\Program Files\Mozilla Firefox\xul.dll+e78f88|C:\Program Files\Mozilla Firefox\xul.dll+e672e6|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000045642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.134{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+e6725d|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.134{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+c22d5|C:\Program Files\Mozilla Firefox\xul.dll+e66f34|C:\Program Files\Mozilla Firefox\xul.dll+35f87a4|C:\Program Files\Mozilla Firefox\xul.dll+35f8710|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695b70|C:\Program Files\Mozilla Firefox\xul.dll+1a0cbc6|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.134{80A11F3A-A5BA-6124-9206-00000000F001}55406976C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a234df|C:\Program Files\Mozilla Firefox\xul.dll+898cb4|C:\Program Files\Mozilla Firefox\xul.dll+168795b|C:\Program Files\Mozilla Firefox\xul.dll+1a02565|C:\Program Files\Mozilla Firefox\xul.dll+13705|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+12de8|C:\Program Files\Mozilla Firefox\xul.dll+a0c091|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.122{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.122{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.121{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.121{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.121{80A11F3A-A44A-6124-B604-00000000F001}27884036C:\Windows\system32\csrss.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.121{80A11F3A-A5BA-6124-9206-00000000F001}55402948C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2efed|C:\Program Files\Mozilla Firefox\firefox.exe+2e1f5|C:\Program Files\Mozilla Firefox\xul.dll+1fbfbea|C:\Program Files\Mozilla Firefox\xul.dll+a1ef43|C:\Program Files\Mozilla Firefox\xul.dll+a1d105|C:\Program Files\Mozilla Firefox\xul.dll+a243fe|C:\Program Files\Mozilla Firefox\xul.dll+8d1360|C:\Program Files\Mozilla Firefox\xul.dll+16954dd|C:\Program Files\Mozilla Firefox\xul.dll+2660a|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+8d3bc7|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:38.120{80A11F3A-B9E6-6124-2009-00000000F001}6844C:\Program Files\Mozilla Firefox\firefox.exe91.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5540.14.2139045812\1159667313" -childID 7 -isForBrowser -prefsHandle 6952 -prefMapHandle 6956 -prefsLen 16309 -prefMapSize 234501 -jsInit 1092 285716 -parentBuildID 20210816143654 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5540 "\\.\pipe\gecko-crash-server-pipe.5540" 7004 1c46e683938 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232LowMD5=FA9F4FC5D7ECAB5A20BF7A9D1251C851,SHA256=49936283672808DE852727CA17A946FC63F0DC0F7E4D9EAB800CE81612EED84E,IMPHASH=6DE9E29DFB7DEB336155C42BCB9F9A14{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000045632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-CreatePipe2021-08-24 09:20:38.110{80A11F3A-A5BA-6124-9206-00000000F001}5540\chrome.5540.14.213904581C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000045631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:34.045{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52229-false10.0.1.12-8000- 23542300x800000000000000045690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.657{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5EABC8BA45017013EBB4224DBAE661,SHA256=0E3B9649404FD875D4FACB94B674F50D80FA5D6CDEA5CC6F80E90C926F4AEED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025653Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:39.361{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045DAAEF9AD54755CD0468B2F74650BD,SHA256=D7DAD74B452B740DA448A6C972E4ED9E618399D2AEB0F6252ECBFED520FB8AE8,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000045689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.032{80A11F3A-A5BA-6124-9206-00000000F001}5540raw.githubusercontent.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.029{80A11F3A-A5BA-6124-9206-00000000F001}5540raw.githubusercontent.com0185.199.109.133;185.199.110.133;185.199.111.133;185.199.108.133;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000045687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.028{80A11F3A-A5BA-6124-9206-00000000F001}5540raw.githubusercontent.com0::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000045686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.036{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.036{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.035{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000045683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.551{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52231-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000045682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.551{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52231-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000045681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.027{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52230-false185.199.108.133cdn-185-199-108-133.github.com443https 354300x800000000000000045680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.026{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local54792- 354300x800000000000000045679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:35.020{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58693- 10341000x800000000000000045696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.864{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000045695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.744{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-B94B-6124-0709-00000000F001}4252C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e75749|C:\Program Files\Mozilla Firefox\xul.dll+e6a32e|C:\Program Files\Mozilla Firefox\xul.dll+e551cc|C:\Program Files\Mozilla Firefox\xul.dll+c8cfa6|C:\Program Files\Mozilla Firefox\xul.dll+23bd71|C:\Program Files\Mozilla Firefox\xul.dll+8baf61|C:\Program Files\Mozilla Firefox\xul.dll+18744d8|C:\Program Files\Mozilla Firefox\xul.dll+233303|C:\Program Files\Mozilla Firefox\xul.dll+23326b|C:\Program Files\Mozilla Firefox\xul.dll+d175d4|C:\Program Files\Mozilla Firefox\xul.dll+1720ce0|C:\Program Files\Mozilla Firefox\xul.dll+16eb6b8|C:\Program Files\Mozilla Firefox\xul.dll+1b8122d|C:\Program Files\Mozilla Firefox\xul.dll+17a5738|C:\Program Files\Mozilla Firefox\xul.dll+1756d76|UNKNOWN(00000320DE9D1E84) 23542300x800000000000000045694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.662{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FC84B953411F485E1842314BD9599B,SHA256=DC10304C49E92B37BDBB4AC2D8047DBA153EEE80C278DEC83C327EDEB7A52D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025654Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:40.376{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C92B92CA3A9CD9D03662E786B642C4,SHA256=367083465F3D3061ED354F5A4DBF0ECA4E2D0B813F55BE32C746CFA9EEF5A6DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.209{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.208{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:40.206{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5C6-6124-9906-00000000F001}2484C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f1d0|C:\Program Files\Mozilla Firefox\xul.dll+e79d58|C:\Program Files\Mozilla Firefox\xul.dll+e79899|C:\Program Files\Mozilla Firefox\xul.dll+e7ad5f|C:\Program Files\Mozilla Firefox\xul.dll+1195606|C:\Program Files\Mozilla Firefox\xul.dll+e766dd|C:\Program Files\Mozilla Firefox\xul.dll+e5e5f0|C:\Program Files\Mozilla Firefox\xul.dll+1ef0312|C:\Program Files\Mozilla Firefox\xul.dll+1a31108|C:\Program Files\Mozilla Firefox\xul.dll+1a3327f|C:\Program Files\Mozilla Firefox\xul.dll+17a86d7|C:\Program Files\Mozilla Firefox\xul.dll+1bdac45|C:\Program Files\Mozilla Firefox\xul.dll+16e9761|C:\Program Files\Mozilla Firefox\xul.dll+1b7ebc9|C:\Program Files\Mozilla Firefox\xul.dll+17a8b7c|C:\Program Files\Mozilla Firefox\xul.dll+1bdac45|C:\Program Files\Mozilla Firefox\xul.dll+16e9761|C:\Program Files\Mozilla Firefox\xul.dll+1d32f42|UNKNOWN(00000320DE9D7C54) 23542300x800000000000000025655Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:41.501{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB0188EC7BBEB9CE30B1C3A3706601C,SHA256=204FD661904B47697194B252A87AF610D0E3784FF3E9EAB99C5637F6EA55306A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:41.669{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6EC2B463E55754810D2D4C220982DD,SHA256=1CDDEBFDEAD39C83F2A70CA6996C554A9A2C381FBF993B3B3C2ACDEDABB2185B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:41.206{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\aborted-session-pingMD5=9528A5F635827FCD481B844CFDBEF254,SHA256=F9C7307F8CAFD47F3CDB63A1E0DEC843083B2D3B2B2380E8717A0B6845BB875C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025657Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:40.813{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025656Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:42.720{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A3B046ECC961A61A5FA9699EE28EC3,SHA256=8A98D7B8AF7EBEF298008C25A57782E0816EED36FA2B1612E7762A0A290E0EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:42.676{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5631FDF06F678C0F7B93B0BCA90FDF,SHA256=DC6ABDFCB43152114243E77E39AA01689659758264809FE43D74B56599E48C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025658Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:43.939{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4E4027927F9082BA470AEE37B73739,SHA256=20867BA6EAD48C9D40DD565BAEF0FC38BFD214FE9431312D608936FFDB2BC3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:43.681{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E3177E2B9310B1316F94DB0A61CB0C,SHA256=4DBE67D5A2F19DB63A2B6B64C9F14FF0B6EC608DBA1B0865B0BAC69B85186DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:39.115{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52232-false10.0.1.12-8000- 23542300x800000000000000025659Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:44.939{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4811133ECCE9F56C82C0F490D8FAE32B,SHA256=C53AD0318219D9935338DD7DC72B31A963E9A0F4569322945421520F7898678C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:44.688{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4762681941E045AFF8C39BEE71071619,SHA256=E7635B6418307CB6B22E8FF7A9D28FDF98FC3875A357C86513970E45434912A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:45.700{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F768EBDFD3F6C676051E31E9B0DA4B,SHA256=70EF30E4CFF704A660DFF0235649520D7AAE371998A7CCF4CB372B2998916CBE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000025661Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:20:46.626{D371C250-A1CD-6124-1500-00000000F101}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d798c9-0x523c942a) 23542300x800000000000000025660Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:46.173{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46EDF2C54FF7EE843E55052645EE91A,SHA256=849B7E1C18DD24451554E2F8374100D00846C7122E54C9FBD90677FAB7BC1F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:46.703{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC79AFD7D512F1C6335FFA364426B9B,SHA256=EA24187425028A9071EDF2B67B31DF6BA43CD4BCC354B7379F6B681E14527195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025662Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:47.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF0211D1AD44AC024D9C6E0E11E6326,SHA256=BC6CD68C23BABD4BEF2CF9066B4A403CE33D68D08EFAC57F6A052312EF2D56BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.942{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B87E32E2116564A96A0075881441B4,SHA256=EC456B1B9CD945707D45AC1ACA8174039E3D00F80A7B072A69A15F08ACD9CC79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.574{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.573{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.572{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.571{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.571{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.571{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.570{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:47.569{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.956{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796D428789661DC27873936552B45556,SHA256=99939175DBAFE36D6911C5D83DC18BDA3F3002F61AB0AFB216DE7381B45764F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025664Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:46.782{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025663Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:48.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4954CAFDFFBB763E1F9536E96D242C,SHA256=EF864424D9B6EB2CB276BD1EF524A39339457423066A47B0BD8AF9AAEF01B405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.142{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6ECA048C80D528F6A45AE4E867B01451,SHA256=BE42F491FC362B26C31CF036C064F1B8C85E6CC0CA3879B6686114DD4629AC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.141{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5C471C63A42F85F61228518DFF10EC0B,SHA256=BD45B8D7E73C5B1986B5A9E46B6A84F6EC51CF43C25AAE451071A4F24945E12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.140{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=48A80BBF15D7194C4627DF8EA7E1DBF8,SHA256=7B0252D330F4BBB87FAC83ED147B1BAFFBFAF00AB5D3C08508554F849CB145C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.138{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=678D1E2AF9EC79B1CEA5F883040523D0,SHA256=64C654C2F7D55C871F1C5770DDE7B0E144231E6E05EE13E31845135D1926496A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.137{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=FBB778D9546A80BDAA18EFD43286851D,SHA256=56C8A14C892872E3DFE73A8FE1B1D8EBF8EAF0E22D4FB45D6B044A3CEAB3BFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.136{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=DFAB101936251914AAB563810C94FA6E,SHA256=70CE4DD147D823FE42D773843690C2F0C44D2DCC667BAB42CF86223FFE30B3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=87944E14A708A41453D474A49EC5DBA7,SHA256=CFBBFDDEC134001E485B0C72A60903F436BCAACBBE1AFF229FCAC52DDE38931F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.133{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B90FE4A4650EDD186C25494EBC62664C,SHA256=A70FAE415EDCC3CF7F0C743117DFF643889AB1D50941F2FCEDCC03EC7DFED12A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:44.156{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52233-false10.0.1.12-8000- 23542300x800000000000000045752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:49.962{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C81F1DA9D8AA74BB32198BBB147DD31,SHA256=B0178F8BDDA64BB433C6DF00BB771388DCBABC80C170ED94CE3208DE95C0EADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025665Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:49.408{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA3F8D4EEAC69C3C239416DF6BD0599,SHA256=A0BF4447EBBAE52CE5117223E462886C04FA82A32B96E21AC9E521FEFF9D436D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025667Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:50.785{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6F18792D571F4322D0EEEFA7E3310079,SHA256=990F6F166023B612EFF945DCD7EF6071DB5A77615FFA19714B8331CB8789D001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025666Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:50.410{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA32DB972ABDB9A11A787309F31D7FC2,SHA256=45ADEB603E255ADF4B88C1EC6CEF18D9655E254CBD6D00A475646BEC54290506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.967{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E0FE45374E059161E36F99B77A5917,SHA256=56AF5F5761B86DF1209E42345FD5AF8896D48B0E9562AF648D86FDFDF2210450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025668Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:51.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792C02E6DBFB9C9D5AE363340CAB0C36,SHA256=A1983568DDC8973D2ECE1A2AE819037E0F9A42D63DC4B8DC4E44A33A7747C733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:51.974{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353D3C199606E8AF78C3FB72776877CA,SHA256=E500890F5B60EC1F479F633F48A02A7BAD6B8EC3DD6C8A0C1A47A3ED20D7A280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:51.041{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:52.979{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CEE53A66C4923CA7A6289004E10090,SHA256=5346D3D40EF3BC80C3C52618D6DBD03BF61F717DADE368DEF53BAB24A8018297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025669Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:52.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1286BB774877C1A5C9F3B60FA9DC8BA0,SHA256=CA8E8D1AC29EEFE9D2A5EB8AA0DEFC201D88C1235C4E76B2159D523BCE51B221,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000045758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:20:52.884{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000045757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:20:52.880{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x800000000000000045756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:20:52.880{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 23542300x800000000000000025670Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:53.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809EC2BEAF019BE1C8C4BAB5B1452F3F,SHA256=D3BA602761C8FB1B685EF8E75B01D8966A107851F61C299130E037B46ED90052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:53.988{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DAB22B22290434C84B200993EBA5E1,SHA256=E2834417FF53A7A394F5C029272F2461407E68B269736F0304F3471F36966B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:53.894{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69EB52FC7EEB6AEB64289EE4798CF11B,SHA256=4D944D7D5002B7B7A1D20353E06EA62D6D48FD61D33B66FA771D8F02FAF8C15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:53.893{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E948AD1321D81EBEB691A1583E9CB4CD,SHA256=4F023C2C540F16772509F4FC6D93AA1AA433D3877AA8170B4DE4BD0F13C5C58E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:48.937{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52234-false10.0.1.12-8089- 354300x800000000000000025672Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:52.690{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025671Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:54.722{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CB4F537087F77905EEFAB16B59B912,SHA256=74919156B621E5FD4714528EE155DB6C4F534438EEABF6CDB35C32C2E39AC749,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.806{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52238-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000045769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.806{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52238-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000045768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.795{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52237-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000045767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.795{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52237-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000045766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.773{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52236-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000045765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.773{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52236-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000045764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:50.036{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52235-false10.0.1.12-8000- 23542300x800000000000000025673Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:55.957{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C242B0720D52987F495D3B535121455,SHA256=BF0A355EB6F7A853664B83101BA7057184EC91A64CD9B68F7FB02F2097553962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:55.000{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B005F0C9B514A0366D16CA8AEB5DAF,SHA256=78F11B9A6BC9CB0CBB80F08D37876E2384E80A33916CBC3A6166C3F7E46E57AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:56.008{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F606795AAD8C0947F8743B1567877ABB,SHA256=CE5BCA6E5EA02922A1FF29645314025C5043A73678ABE7DBD81952B52A0462DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025674Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:57.019{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67236880F60FEB848F7D7D25038AE39,SHA256=FE4525AE0903162559BE251C789902BADCCC8733BDC3E127FD0EF66DED0FE121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:57.022{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F2FCE99E313FA785E1C7A7FF5A9C32,SHA256=03EA5D2AFFD956DF8DB2B66C4A0D4AC2B751F8F5B689EECFC69742912DF86EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025675Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:58.253{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32218DAA1830A315B7878903635637EA,SHA256=B8C7DCBDA9E11D37BD4A0C57014ABB539A17788EF710C15C8ADDE776C19EE8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.163{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=BAD222DB26D230389EEBBF97E10C0B5C,SHA256=3A384733CBB5DFAC57BF25581F8A36FEA786D03AE23EA7D5C81401502F8ADA94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.161{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6C82E269EE2D8027D7805DC248175F9E,SHA256=D90AF0706F56F6FEFEE9610D9A62F99BEF3DE50986246D0968C33EB6C512AD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.159{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=4608CE4443A6827BB67CFA5B650ED511,SHA256=728ECB96E9B4780BCD3614DFFB9C85A89D864C20279B400EF34EA021A3707C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.158{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=52A63FC8922CA162C396DCFE3612BCDA,SHA256=01EB74E1F7A9A9168CF849EEFA052239A70063BB00F59C08655B101BB6C73CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.157{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1DE06ACA5E8F7EF1A30D5C14938FD560,SHA256=9FEABE2624423E3F067CAFF53927E471C85EC055D44B2B4CC98BF35EADCFB760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.155{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6BB9EB9AEA5C56B2F0DE516F719574A7,SHA256=E9937CF99C71A7DC5661A526F1687E67D147F84DA992B6AD336FED97D01AB3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.153{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E6961F9F141DCE5891F9E820832EE2B5,SHA256=799D984E4F4A5DC5498E2845CB6667BD4266485E5BFD5200C26E10AFC96B28DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.151{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=19DA9FEFC9D1CEC49159DD50A5E7669F,SHA256=A5AAEEEF60BDE299318659D0A43364C40B6E9CBC80D430AF54D5CD6F1AF4D634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:58.029{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4915E8C911052A03794D448D91533E,SHA256=7A2BEAEB454ECD1F6ABCCA44D71DF907D60FE6507163ABFB77B8AC91549532DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025676Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:59.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E23E2D1219EE94A2F55FE826B580C1,SHA256=E82A3AC39823A365B39DD9444CADD81FB57A4CB6CEB019A4DABCA424FFF9C60A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:55.078{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52239-false10.0.1.12-8000- 23542300x800000000000000045783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:20:59.035{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA18C4802E322A9B118EF8173C9B7FF6,SHA256=F10163FFBB280B2A443D3C78010650A526CD5B6F9732086A10F0128BBA4769D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025678Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:00.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF98AB79876CFC429B51D40EED2A6CCF,SHA256=27F12A4B6F6A2C3762D97A9F070CB7C9B0F448676F687D85A7A02DF579380E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:00.050{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EAB5D62DE5B68C0EAE7BEA23FC29CC,SHA256=4B2EBEC1A6554622194BABA182C7CBE0A5710708227CAA77E4573CB1A9D1FD4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025677Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:20:58.706{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025679Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:01.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A700BB1DB46578AC700F7386F6F33BB1,SHA256=212DF1E5BF7BB3BC0ADB73B54ED2445DCB5CBFF627DA9615869BD0A8D418647E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:01.066{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D30A099610EAC09478F08D8F3BED1F,SHA256=DB6CB93DF50E2697FE4A7784C2DC6FF9856FC24C238CBF3783015FF155A91796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025680Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:02.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26660909BD3C45B1B2F27B10AADB157,SHA256=C65C273EE63A89399DF794013F9B979BE76CC99A423187FE2B4708282D1C5EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:02.085{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0231FB2723786CA902F792B0F3DEB75B,SHA256=A77326A632D061105F333B1765F3B2D7F4857D6FF65CDEDC30BE3D51BBEE870F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025681Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:03.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A934A8F9A0FC34C3EECD4C59D5AA6976,SHA256=C688A113005EE0A211290662182CD58C04B82D52632813E011600BDD234E0029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:03.102{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9FF356A70F97623AA749CBC380D3F1,SHA256=03EEBD221FA586A7DC5918A57B74CE558EB29CD9D7230BC8E3B1D73E8C0999D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025682Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:04.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4579176A0B6C9AADB1084A4A2A2874E2,SHA256=DFD127D4391B39A84B5F6390AAB5FC15958AB332FB6BE56BE0275D395C80120B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:04.117{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D57045DADA25E282F10CBAD5D190388,SHA256=32F169358777A30C58416C65D17A3745AE13C5990D2E57708AE72C34FD1F54AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025683Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:05.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D334B49A87E14A629A9BC23E4AB7C2CB,SHA256=4E01FED981D57A8F2D28D242A69D4BA19FB1021A6CA2FCD01F4C6341D37FBFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:05.132{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB8DB51D6417ED774291D45BB178EB1,SHA256=717875A95CC2EEA2EB62BF99D0873ECFF3D060EDCFE9BC4FC66623F677F2D37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025684Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:06.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1114CAA62FA9B536E3601F3744D8B2,SHA256=97D564D7755ABA2800561C25335F72BDCAAF193829D2AA6304BC824A1F8F5298,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:01.113{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52240-false10.0.1.12-8000- 23542300x800000000000000045791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:06.146{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3251339385D99A7EBB5FF3827AA7C21E,SHA256=0F92D577133956DA10862C24582C46BB9E44F66E2000AD607A32650976090835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025699Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA03-6124-8C06-00000000F101}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025698Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025697Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025696Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025695Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025694Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025693Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025692Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025691Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025690Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025689Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA03-6124-8C06-00000000F101}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025688Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA03-6124-8C06-00000000F101}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025687Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.832{D371C250-BA03-6124-8C06-00000000F101}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025686Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:04.706{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025685Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:07.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438E26B00C7AE5B2121C10FDB6B8CEA9,SHA256=1BE6672260F608F046D71A2D1143FED0936F7ADCDE9CD482CF1732DED6C49322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:07.161{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138A28A4B445504511247DF92E611C7C,SHA256=4362B250E9BF9199C98E9D7869D946EE0D0C1EAB1D28EBF137920D56E57619FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.313{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AA706C33530604487A8218687008D554,SHA256=1BC64720569D981AC893C5F6F215103841A7A676CC9B54E3D9BB4C7DF617AE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.213{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=C670AE5DA454D0D1D0FE21E5758DEDF8,SHA256=E941B69B2632DABB411DF581C2BD641A713E46235CE1E9B801D43BA0B094BE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.213{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=3119EEDD0F52D022F5AD3BD060CD7EEB,SHA256=6F975608BA471B15E03A3B4D4C850942C0EE4DCE32394B361E19BB0DCBC5ABEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.213{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=746FAECD01F3CCE909D6C95C2649C3BD,SHA256=540A05227E874CD970DCBC66F216FC69EE0E2B1642EF8564D5B6C564D917488F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A9C72E9BCF5526D6E0FA5C352B758FDA,SHA256=A0EFB82F495C8518C5D04304E657F0B84E06D5DAFFDDD5EC103878F3FD7EBB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=CE8E4D9F3868DF681325F3A75C9545FB,SHA256=2B5C5954361E61F61519E6DB20F40322FCAB8BABDC3160F69C00025351989171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=AD24DF1E9DCCF92E3C90CE92F53A68B9,SHA256=5B837EAAEC8417FC39BC4615AAFB43054232C1E6005A841419F6F44CB057446E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A636CE91AA2AA07262EA4E4C8796A38F,SHA256=63ED1C59C2FB4372C4DDA33C6214BF46D55561359EA91FAE8C95327E8D2D7579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6314FE9AF98134A86795200565F6D72,SHA256=2672E22D5C4E5216948BB1A40733A19EFE836800B3380F8C05C49F43DCE37217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:08.198{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=0FB86B1C261317BA1CB69227EDE97A09,SHA256=DE057B8BF296524240FE4698294AB1DF42BC05A7BF5F01C27AD6212611B31AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025713Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA04-6124-8D06-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025712Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025711Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025710Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025709Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025708Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025707Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025706Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025705Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025704Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025703Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA04-6124-8D06-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025702Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA04-6124-8D06-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025701Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.332{D371C250-BA04-6124-8D06-00000000F101}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025700Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:08.035{D371C250-BA03-6124-8C06-00000000F101}31603744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:09.212{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE04098DE6EF23774A1B9F5FC13989,SHA256=F136B4147BC3EE9EB39B136C9E1D6C46BFB53BF1762E26F55E2AAD97310DAF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025729Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.019{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A7005E6B41CE91FF2AA4FD6F86FD242,SHA256=E0C5015D441D7C85FD7B01F1D95EC2AD0052D5EEF1F12CA73803547B960D70DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025728Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.019{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7B620772A90CBBADC739D17AA7727E,SHA256=A9F293CC561FAB5D4DB8CD441E2BC267B20079DDEF72CBA6F2F2C4EC43FD5135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025727Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.019{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=441E210EFCB29E306672E752767FF50C,SHA256=D5858C68BE73959623D05E91A0D5A7EC75BF3FA46C3CB0D1A03007BCB899B2EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025726Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA05-6124-8E06-00000000F101}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025725Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025724Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025723Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025722Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025721Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025720Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025719Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025718Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025717Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025716Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA05-6124-8E06-00000000F101}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025715Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.003{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA05-6124-8E06-00000000F101}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025714Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.004{D371C250-BA05-6124-8E06-00000000F101}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:06.971{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52241-false10.0.1.12-8000- 23542300x800000000000000045806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:10.228{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE510B1256465A4D7FB3FBBC698E25B,SHA256=5B180B88A8C54FD9E331AE65D02D4C1D12677B1F982DC5759227448F16237DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025745Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.175{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A7005E6B41CE91FF2AA4FD6F86FD242,SHA256=E0C5015D441D7C85FD7B01F1D95EC2AD0052D5EEF1F12CA73803547B960D70DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025744Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.175{D371C250-BA06-6124-8F06-00000000F101}13803964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025743Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA06-6124-8F06-00000000F101}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025742Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025741Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025740Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025739Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025738Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025737Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025736Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025735Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025734Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025733Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA06-6124-8F06-00000000F101}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025732Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.034{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA06-6124-8F06-00000000F101}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025731Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.035{D371C250-BA06-6124-8F06-00000000F101}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025730Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:10.018{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014DFADCE23FDE1B7F78E80F75A32A33,SHA256=78BB41EE1ECC6938513F3F2F699B92DF3ECFCE42D4B2655DF0CCD51A6FA69A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:10.082{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-107MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:11.242{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254456651F8508CE840CD751430178FA,SHA256=7646F5152AACBC039A057E9AB183FF2B74842669976E065862EA19002F456A29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025775Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.940{D371C250-BA07-6124-9106-00000000F101}3356512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025774Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA07-6124-9106-00000000F101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025773Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025772Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025771Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025770Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025769Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025768Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025767Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025766Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025765Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025764Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BA07-6124-9106-00000000F101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025763Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.815{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA07-6124-9106-00000000F101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025762Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.816{D371C250-BA07-6124-9106-00000000F101}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000025761Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:09.737{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000025760Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.315{D371C250-BA07-6124-9006-00000000F101}31443212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025759Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA07-6124-9006-00000000F101}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025758Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025757Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025756Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025755Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025754Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025753Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025752Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025751Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025750Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025749Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA07-6124-9006-00000000F101}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025748Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA07-6124-9006-00000000F101}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025747Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.144{D371C250-BA07-6124-9006-00000000F101}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025746Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:11.097{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7329ACD1F4B0A0098487042BD6DF712,SHA256=79B4C67887695AE3D030E41D018CA28240CEE882693609E7AE53C71C40707BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:11.097{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025790Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA08-6124-9206-00000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025789Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025788Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025787Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025786Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025785Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025784Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025783Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025782Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025781Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025780Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BA08-6124-9206-00000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025779Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA08-6124-9206-00000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025778Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.458{D371C250-BA08-6124-9206-00000000F101}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025777Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C59060D897FF9A790A702ADC98134B08,SHA256=3807C289F42EC2C2AD2CC237D6BC70EAC39C39C2F9F7A5327AEDA5B926027E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025776Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:12.456{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73B2352EC95F57B8C62ED9FACF58E7B,SHA256=8D5F5557EE21E34FD75C505178E8F064B5C112EC0AE041FFA07B445179BB93CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:12.258{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA25E75D343DA90A3C600EBB2BBB4E91,SHA256=5905D020C0A97B87BBD4DD869A0D80677419782C0ACCF86C075A75D831473143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025792Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:13.487{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4F8208EF9158DEDFE691A82A6D9EA0A,SHA256=7E3FA57471CB8EC68C71AFDBC8E2C179E33904067ABE1EB8A9347598B1F696FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025791Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:13.456{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE33410641660AA475C56EAB6948BC3,SHA256=0FCDD991BA9547159604FA5F19FB1314AFE185868816A0AE12E2E3DD2CEA3D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:13.275{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B44A137C0908B5A9E6698DF9CF039E,SHA256=55887EE6D7CD688E73DD95084B8026EF468588F087D25FFF46BE1C40994C8F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025793Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:14.612{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3070EF8269014FCDC4D1BDBA55098A4,SHA256=63DDB07D6335604A38B69819208209606012C77E6BCD58B9A9FD19675E82C82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:14.293{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD191A8FD986A320DE389AA4EA598F5,SHA256=BFFA64B49D0F8D3C44F89BBC20AD86FAB8B3D9D905604D84CA111B59B4FFC285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025794Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:15.847{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33BFEE7EDF8CED78E59DB68B306B64A,SHA256=806677C54F2A0E4E6ACA47B9C36DFE1E61B66B28B1966C7F0E86C439BD8E10C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:15.308{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894B368F1A54EB62F0936351D4C3CD78,SHA256=DE227DBE18AF5EB0FD7D466455A2C96E809EA03792FDB02089F542FA618CC0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025795Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:16.972{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9742C45DBE1EAD3EA07B0F02D277E01E,SHA256=6C9FD2A12DB7B12C47E899AACAE5FEDBE23A4AFFDDB3B2F4CA62A8A9CE61190B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:12.083{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52242-false10.0.1.12-8000- 23542300x800000000000000045814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:16.324{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D567564E8D30F116A54C6375C447CF6C,SHA256=96D56D40F08251FFC908AEB1D21798358844619AB9B2ACED6FD609EB32D793A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025797Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:17.972{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F8997B91DDB016DEE57133353A1ED1,SHA256=242869546C197DCE553741594CFCB4F39E8EFDB2F4B79DEF8188B6D004D42E0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025796Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:14.768{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000045816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:17.339{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F1CF57E275FE4408E9061671E4F9C,SHA256=BE7703E23A737E7E18C32844BA5B509F4A99AD055605A6658110D61780163DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025798Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:18.972{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C79C2A94FBAE58BF81978CE2B7A7D76,SHA256=723F5C406916B5ED3F4B3822BB43335E26CD2EF4B42879CC1271DCF91CDD88F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:18.356{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B499166DA1910B1CE61AD9A2293B1468,SHA256=71133FEAC7B9864B83ACCDC914EA9912E425D93F4B4B987F3935C406B5A5FFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:18.340{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DA7F088B69B7640BBA4009725306CD82,SHA256=31B56FC2C3201B689A3120782E5EC244E824F490E5F00031325E18E1A49C459B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:18.340{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A82CF66460A1DA451FF26AA1138C633,SHA256=D96179DB6848708F04E473A6F723E8B275605DD6C6DA4E477C9C53485DCFF25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:19.373{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE4100CEEC036CD07033346BCDF3B28,SHA256=688C03476991B769DA7083795ADF8DAE814B309029F2FB0B4BF22DFFB5191361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025799Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:20.065{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDE04E01596139CE8E0B945FA2C1F29,SHA256=F0DDCB5FF5C867496BD6AADA9683B0F2F7688CC02235E15CBEDD02A41AFB2CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:20.381{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D5951C53327A5CA0037DD94F84CD61,SHA256=61A006ACCC8B3ADD3EC706819F6C42A7DF8A29D479E8578196ACA9F6D8F6CFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025800Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:21.097{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C489F335207756D9BCB75ACE24A1EE9,SHA256=552C5E806993D39882AEDE219D0BD873761FC1759C86B6BB8B9D738E67CD8F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:21.406{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35785133D0AF2D94D53138A504A2BE48,SHA256=73CC0B821752C0BB4C07FD7C4F9FB8D623B1E460F75DDFA72B502D724009079D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025802Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:19.784{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025801Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:22.315{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5897716A5905EB34D507E27503CD7A28,SHA256=C7ED6C50F073107262EBC03DB4D4342375131B398E2E9EA64A5AC6E0E5347D13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:18.103{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52243-false10.0.1.12-8000- 23542300x800000000000000045823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:22.421{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183D475989FE4967D549C530F2DDD604,SHA256=E2745ACEF301F4DE84292F96D6139DC1F4B7DFC1D67F896919A6DAE41DDA891C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025803Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:23.347{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A894961A4EE2EB161B576AF097CBBA,SHA256=24F29808EDC699A23D9549CC65AB6F7E9AD67DEA8DA08EC6D810621BB55816A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:23.451{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189622CA1434FE7167133DDF5C0A701D,SHA256=16FA46EC4FB8524A5947810480375FC234485D8E4DC1E693696D75245DD8FFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025804Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:24.425{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83F6886087CA6616A6EDE28C83874B9,SHA256=A6AB10C3A63C33BBC95F94DD43E9AB893EA839F71A793C73DDE4FEC64D0CACFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:24.452{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C06AAF810C78C2C04047176AFD212B,SHA256=DA3B7E569406D941ACF792647EA742C7286C0D39DE2CFA2E875662F3144A1FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025805Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:25.518{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9DDAC608137C273F66775B7BA1BC0A,SHA256=BDDACE69A24F8A5B8D4A486F1B528BFF3A29E0D63CE53D55538ACA2EF1C768F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA15-6124-2109-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA15-6124-2109-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.750{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA15-6124-2109-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.751{80A11F3A-BA15-6124-2109-00000000F001}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:25.468{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62347C351E2D3EB1F93A1F2F87946E,SHA256=C894CA0F26C858A852D11A6F2D98DF4F1AFE6D5D91BCEBEE2204865F32AECE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025807Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:26.519{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F514B29A1A576F39FE66A789F5B33FA,SHA256=3D8D10362C5D490A74B0A959FECFE082BD47D038802A40A57881D860F514E61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.761{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8184413134770B3562111B94CC0A287F,SHA256=A42A544903C5D11185728151407E04CE269FAA989F4298A484644D06D2814B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.760{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69EB52FC7EEB6AEB64289EE4798CF11B,SHA256=4D944D7D5002B7B7A1D20353E06EA62D6D48FD61D33B66FA771D8F02FAF8C15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.487{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543992868D9B1568892B94242CB5D1BF,SHA256=0BCCC5A7DC2C96E0DF0C9F7F26E2119A673B25938DA6B5460C4C1A110F913CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025806Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:26.272{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-100MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA16-6124-2209-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA16-6124-2209-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.434{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA16-6124-2209-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:26.435{80A11F3A-BA16-6124-2209-00000000F001}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025810Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:27.532{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BA31EE65913B583CECCF7A8EE18808,SHA256=DDA765B7F1FD2A489620502E2335860D48E67A3E7C432F39D11F2C75D71D6857,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:23.163{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52244-false10.0.1.12-8000- 23542300x800000000000000045856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.488{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EDF7DC0A30421C6D00DDDF92B9DB04,SHA256=C0103A2A7D142380E229E505D3535B8B80D62049CCD3F7993CECF0B591B8C745,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025809Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:24.815{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025808Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:27.285{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.304{80A11F3A-BA17-6124-2309-00000000F001}15846184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA17-6124-2309-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA17-6124-2309-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA17-6124-2309-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:27.119{80A11F3A-BA17-6124-2309-00000000F001}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025811Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:28.535{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D28B0857EF1B5123FD2415596BAAC20,SHA256=8CCD08A3AE4766944756A017D2C1E33AC6F6E95EB58C9714A9460D1325740E7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.892{80A11F3A-BA18-6124-2509-00000000F001}47166832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA18-6124-2509-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA18-6124-2509-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.707{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA18-6124-2509-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.709{80A11F3A-BA18-6124-2509-00000000F001}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.489{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98C78C4E0D1857893FA2A93C9B544C5,SHA256=3A662CE12EC50A890C3C84A833D43D79585B777ACF9EEB227A888E43912EC7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.303{80A11F3A-BA18-6124-2409-00000000F001}60484076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA18-6124-2409-00000000F001}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA18-6124-2409-00000000F001}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.134{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA18-6124-2409-00000000F001}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.135{80A11F3A-BA18-6124-2409-00000000F001}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.119{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8184413134770B3562111B94CC0A287F,SHA256=A42A544903C5D11185728151407E04CE269FAA989F4298A484644D06D2814B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025812Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:29.535{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B46A769E1D0FB113EB84A60446865A,SHA256=3C26DC215CF8C4CCFDE00DF0229A1A397FE3CBD7DE28CDE962AA8C82C6DF073A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.576{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD58724A1E904280406F459C574C421,SHA256=8A27B7EC7888563F4B84E02AA3DCB70778DD8BAECFA914954BDAFF7517A4E7F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.539{80A11F3A-BA19-6124-2609-00000000F001}47886524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA19-6124-2609-00000000F001}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BA19-6124-2609-00000000F001}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.339{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA19-6124-2609-00000000F001}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.340{80A11F3A-BA19-6124-2609-00000000F001}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:29.139{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32D8321B6F508F5F2B371451840B39D4,SHA256=BF3672A3839B441712ECB62B0E52D82A92872365D1AF1E4C8289AC7A313368BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025813Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:30.656{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D7B170C2F3DF9DC8C7F162DCED19FA,SHA256=240E1D09C9014771D694F047270D0DCE762E5363099088D2B021A90C680B1342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.610{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8310ED4A14CA654C1AF1354CBAA0B1DD,SHA256=7AFAF67E45D9258BA6F5D99ADDC9E6262D4E7989E0A3C1A523EB377B8544CB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.342{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67AD5B53D6D849ABE49434D0A758F481,SHA256=EE3CF92D44BD93BEBFC9DDCC6596F9B6C3189806AE56E5BB892A66ED798FDF29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA1A-6124-2709-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BA1A-6124-2709-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000045890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.010{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA1A-6124-2709-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000045889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:30.011{80A11F3A-BA1A-6124-2709-00000000F001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025814Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:31.844{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88420844DF2A5CD5EA00E49F646BEEA,SHA256=46F1DC8B47880010CDB98AFC9B349341D06788546A0E1EC848AEF89B79EA2AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:31.625{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285332D0A12485FCCDBF6B1A79D28AEC,SHA256=8BC02BC4CB43FC12758E3711A6E63E49A72506E854E768985AFDA172430A86E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:28.985{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52245-false10.0.1.12-8000- 23542300x800000000000000045900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:32.640{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503C52CA6E02938CC6DE97446044C00A,SHA256=32738676F157AAF035F4E44979C1EED63EE59E758597E89BFC2D0E26DC8BE9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025815Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:32.719{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025817Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:30.672{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025816Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:33.078{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B91D488A65DC57F2F5DD7B94C8F4CEB,SHA256=F168E73EF136A3D1F91B22F0BA41A89724CBA36AA7FD566DC47D6C76C20D162F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:33.642{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1C4229C33E10E30678746422C6D958,SHA256=8027A2215D0F984FD14CF46C5088D0B25B59BD936A72FF28EE9E85BE84DFBC56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025819Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:32.313{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000025818Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:34.297{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE791C40BCCEA1B746A2A49472D59A3,SHA256=1FF0DC9ABBD4E79635BF07D4EC6FFCA4472AA4776C892EB0C220B3B589946627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:34.657{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA5992FEAE716E2DD22326E34BBCD8,SHA256=48F23E2B37755334FDAD23A82ACBA3121D4F014EA7CB26D95FCBF4E8EF13FA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025820Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:35.531{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896715A849CA3A099571A6105E48BFDA,SHA256=8847BCE8D354DFCB4D9D3B36D27DB43239A2EFFAAC0DDFB501ABC5A92B6D050B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:35.675{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369876997B3F708E782C8981859AA607,SHA256=739AB01030FFA5044C558DA49881CA8825BD7227ED7204EC618204496AA988B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025821Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:36.656{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B745C02F0447BF80120335023F13FC70,SHA256=F459CEFAB4226CC080C45A2DF248BB3F353A9A7AA41695FD9511C2EF8C5F5C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:36.693{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D374F6472E5920F90D29B62A2ACF207,SHA256=348D384F94922537402EB110C468F290B606F79B1A60AB03AB4BAD63D0BD0EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025823Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:37.891{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F39680F931227420C0518FE3862B0FC,SHA256=13A40E8D1F19136BAC3C72358703BB3C41BB6671D8FBDD8BF806FC7B61ED2C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:37.724{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE68690A9409D885A20580163E0BD2,SHA256=BFD18FF311489FE20D61419D1A91BF0C9D60771E0153000A85122E8669B3E09C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025822Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:35.719{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:34.984{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52246-false10.0.1.12-8000- 23542300x800000000000000045909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:38.739{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F581B495CCAE4121F68CC32EA29235BE,SHA256=E16E34E15AFC5ABA10D2A9290BACD497A7B48F7E55777F09BBCCBD1AE7392EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:38.692{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7578059434605C928880A042D1EDA7,SHA256=A5AC9ABB6AF3D042472BE5ABFAC661072A75F7135C5323E2E089083B5E291237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:38.692{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB052D71DC62553683649A895B814259,SHA256=71EEB156943D7B60C418E08F6AFC8FEFBF8CC07E8612FCE2BD1EE0A97767F45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:39.757{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B4B786FBAC47343401CD8C2EFB86E0,SHA256=5D395FFFD2C6A83CD1AB9F0D00C069757D4D6C6AAD78C9A76B4E6C3F6DA9BFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025824Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:39.031{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2CD40F92C665FF2BDB93BDDDD4012B,SHA256=594007B1B5F54E3510F6DED80E0D46A9ED14B004788B017BB4FD924BF9B931EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:35.568{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52247-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000045911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:35.568{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52247-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000045914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:40.757{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DCFAF29EEB2A294C50FAAB968CF699,SHA256=610BF1FDFE7E202A6A3DD8C5A8BAAAC013D67AC49C80AFB8C6AB2E5B4B464D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025825Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:40.031{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73174A07698925F8D98E683ED532009,SHA256=CB6100FF5CCE668BE92FD8AFA8A5950427C71FCDE33B8B37A07C133F9ADB40ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.778{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434F26CA00689391592EF824D60D006C,SHA256=54C1169E3457EE2D4B0CE7137A4E47773722A419C7CEE5AAB1F8B9132976BE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025826Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:41.031{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C1266A58A1EE2F39F8FEAE4D714D12,SHA256=5A07FF716AC590F3679659CA68B60ACB6DF5578B4AD74D0CAC89080D410EE30D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.210{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000045917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.210{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.210{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF663b43.TMPMD5=042017AEE2A6D70371EA976ED2DA549C,SHA256=A6CD906A79F3CB66129A7F4540F5445EA9A7BE4AFFAAFD6FA65B44CCD7E0A3F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:41.210{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+c2d3db|C:\Program Files\Mozilla Firefox\xul.dll+c26192|C:\Program Files\Mozilla Firefox\xul.dll+c2b7d0|C:\Program Files\Mozilla Firefox\xul.dll+c2bf2b|C:\Program Files\Mozilla Firefox\xul.dll+3b9291|C:\Program Files\Mozilla Firefox\xul.dll+c2ccf9|C:\Program Files\Mozilla Firefox\xul.dll+c2fcb2|C:\Program Files\Mozilla Firefox\xul.dll+c2c716|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c0d1e3|C:\Program Files\Mozilla Firefox\xul.dll+c0c3d5|C:\Program Files\Mozilla Firefox\xul.dll+c12c4b 23542300x800000000000000045920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:42.813{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF880681D4BD3EC9ADE9C34079639423,SHA256=3262E9FFD4056392767BBEFC7C3A1300A48A427810E28AFAC3D0BDB0EE93E3F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025828Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:40.766{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025827Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:42.156{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97C53B8EE5F6C4EC8D4240E0C549BDC,SHA256=7D5C353B10164D9B25FDF9B54C1C669362203436ABC0FDEDB79C35E4BB99692B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:43.814{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B502621B3C14DE063827CBD50E32B14,SHA256=2EBF83283A28D784BA119EA724D83610382E05CC43873B2AB5E54492256433C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:39.985{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52248-false10.0.1.12-8000- 23542300x800000000000000025829Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:43.156{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB034D56F9FC3F7E009D42E7EF8DAFBE,SHA256=A6C1AA328C86270EB89E763277171AA9833AEA1156A2BDA6D4C2259B98F72407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:44.830{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B61D8B7DA3BB2282A0F8D1613956A74,SHA256=0B4581C3A430DDDD9A3DCBC120FAA6C3C4EF194741325685EE444FF7C9E52280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025830Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:44.219{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275B8962310C50273B4A8E8E8E55898F,SHA256=8D24C512C307A96EFDEADADA75406FFDF1370B960864464B86A66A202DCB40C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:45.830{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E01B578DF239C842085CF2E28412F81,SHA256=48CE0B8D2A26C57681AC38786815783492C5155918C51C4D437B946AE987DC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025831Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:45.437{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F73666934A5E293903C273872B70B1,SHA256=15C5A7D35550316F71C78ADA08E8EAE69A33184CC19DE0F6E829D2A29C3B64C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:45.761{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:45.761{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:46.831{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676357C7912634434A1072C87DB3C47F,SHA256=C9E9876C28A4D026FBC97BA764435B406F7C8569E38A5E441153363B57CADC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025832Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:46.562{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC725DADE82528DC7D1144AA21C60FD,SHA256=113C8BA495A54FAAEA5CCC11A9F53911735ADB8C6A087C5F4C545B54F19417C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:47.861{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CDB411ABBC62703DC787B7E3040618,SHA256=2CF7A6CD831E1C757F074E184743C4F168733689EFB8EF2D232A1AB1175BDF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025833Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:47.625{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E41F418073C9EAB8B71357A7B898E8,SHA256=DADAA33E21BF2E9D2ABB93918663DD95D987FC1EFCBED0E863392CE39D8FC54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025834Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:48.703{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FB3DC24747585320B174B3EDFA8D5A,SHA256=0FE9B7A0143B5C09C8DF7C3DC0E3ABDC5CED0145973F5A1C04AF20F6E9988B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:48.898{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B572C73675DA3506138B2B26A629D90,SHA256=AA24B6EC5D0EE15FA011CA69EDEA7C3602EE99D1AB4472930F0BEEDFC8336034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025835Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:49.926{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E31E52D5CF9BBE071945E8661263CB,SHA256=A7DE3BA9EDCE8499B10945BE2A2A40E43356FD92076FFAC445375EEC98B32A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.929{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D1F656411BCEF556B62D81A6238708,SHA256=F36DFE68A2A2BD336119E6D00E642C2CC176EC84C8B8652B6C07CD8075D6DDF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.813{80A11F3A-A44E-6124-D004-00000000F001}41604572C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.813{80A11F3A-A44E-6124-D004-00000000F001}41604572C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.813{80A11F3A-A44E-6124-D004-00000000F001}41604572C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.797{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.797{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.797{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.797{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.713{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:49.713{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:50.944{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9FE86FEBC82E2C275BAD093A7A786D,SHA256=4BC80E776EBF9EE9BD514759468DC449D346F73C43868C1C6A2EA818A37A8E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025837Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:50.786{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=09C63A31FDB51643A00D752C0DBD4EFA,SHA256=2A210630E7EF88A47D25D49863C100AA76B3B4479A6AAB4DB2FFF34C41D19088,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025836Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:46.672{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:45.974{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52249-false10.0.1.12-8000- 23542300x800000000000000045943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:51.959{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0FD67B2EBE3CC39AEEEAECB24750AD,SHA256=80A4F0593D4D13E21745A500CED9C75854BC9FF274DBA046C80E697525DFDC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025838Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:51.036{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8CA343345438A732BD26A79EDA2B0C,SHA256=45DB8259BFF2AE3D97B921C8DA9EEB416203DA08A01851A8B4F584D9D9842754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:51.059{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:52.976{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E4E459B13F814F0EAE8E8F24223BF3,SHA256=214CFD0385D71D4F08862EE8D64025FA35FF315902492677BFFFA76552E62258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025839Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:52.255{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039C6BE84C79698F7E066F78A7212439,SHA256=7558709CAECDEABE4FAF91DA7589EDF8415B2928FF0C51C409403BCC1A8F8477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:53.995{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A211DF2485161C2AAB49BB595C6722,SHA256=CE0F02D187E3C28EFED14DF73DC95D066FD5620CA1B5E754FA568D13182353A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025840Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:53.270{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC34A38EA530785DC3F95AB5DCA9037,SHA256=4C6AC654BBBBA4BBCC1F86D1620C37482418646594978848082B6444AD99B655,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:48.957{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52250-false10.0.1.12-8089- 23542300x800000000000000025842Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:54.426{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8CEE597CDC1F1CE4A05DB7F4FC8152,SHA256=3B21A77248AB8558E1D3B0DDCDDC62F532BC076F71D18AAD74C888BF4A0E9D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025841Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:51.849{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025843Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:55.567{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881F87BF96422ADC2AEC263AB5965E76,SHA256=74069A411B9FA42962E4B3965B0754DAF3C66DBF7BA2686A97D4C5C71F1091D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:51.087{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52251-false10.0.1.12-8000- 23542300x800000000000000045947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:55.025{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94915BAEDFE0315C60EA4D61670ADB6D,SHA256=8E3F8871D0FD4330DA86AB3285C4A084F158C34E7D942A1ABC8B6064C46CC6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025844Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:56.567{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F496E31D84DD8D1DE93AF86D78867D5,SHA256=4C5D2968C0686F8E53D1A9ED0B798208543D6512D4818BC1D3DCFA0222D28A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:56.056{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888170655EC3707CDC53D97146A613CC,SHA256=0CA8DDB93616DCC5826D15657ED2E86A9519206661FC5BC900767BA25BEADB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025845Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:57.583{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA30D76D9FCD9811EBC288CB73E512F,SHA256=AFD1222A48FFE23637C221F1D249B7BF8C63DF3AD3C6CC96F76423B938FD79C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:57.078{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86E7ECF97863FC21A266759C4E49211,SHA256=4CEBFEBD09F069DD8F188B552550918719514727A13CEBDEF19F598A78B80FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025846Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:58.583{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F17E1717145446D0683BFC916DB19A,SHA256=2DA5685F2D6E977384F6595C1BE04FDF291CEDB5F7E70FBBC52B39FAE08E3955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:58.092{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B85FCFDEA96D2373621AA81280B14CF,SHA256=6AD87EEDCBFFA607FC5CFFE59E1389440972F1E3ECD1AC3C0A13E9AAB22D97D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025847Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:59.801{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E04F1AFB1F4A0D45F59E0183BFB7B0,SHA256=5AD2C59DA6587D39A6FE50EF6D9C92A028C5DE190EBAFEEF24CF04B4CD220DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:59.154{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5A2A6DAB3C3D5204FA1DED1A6C08B1,SHA256=D21F0FB29E002D4DDC878FC7323A9E35CC3783233E1BFF6FA4DEC4B09B3F7DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025849Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:00.973{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C9D6336A0BE3E6A34D7963C470377E,SHA256=1BBB1835FC71BFA7114A4341AD7CF4D2DE1B1BC6CFDC5C7388C55259BA6E38A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:00.155{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FFF8D9BBA3622E01748577BEDAEFB5,SHA256=B75ABA1C3D5A0D26F0D6989A1242D9A53979FE802740A93E07E2FA414A280FAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025848Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:21:57.630{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000045953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:21:56.106{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52252-false10.0.1.12-8000- 23542300x800000000000000045955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:01.173{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7FC393F7AD09D41C68DE9673B995EB,SHA256=415B60973A050F364E5362493906AF02B8FC4FD977185A5697DD7B8F2BB786D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025850Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:02.192{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFBCD44883AC518A010EF6AC1BD3484,SHA256=F6EF447EA0517B9FBB64FD9AA35C2F8440CAAED3D69C5431B2F7C0A547AAEBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:02.192{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935FD03973E69C6FB44B992532CF8BA1,SHA256=750BDD0CE756EBEE74D7763FC74D98CD7264404EC8F309BE3F628C3F3D64C5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025851Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:03.395{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82F1C2FEB8F7630118D92EC990BBA44,SHA256=B3144BBB553C239A16C036943EDB312D4D10369A4B4817D034E5E5B6F5998A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:03.207{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1FAA01562B36006D8B81A5C5A63EAC,SHA256=7F5B8E7008D2B1ACD8C074622B41A8C7336D3E4018F632DDBCDD738340230558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025852Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:04.395{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A1E87FEA1124E50BA7714D06442FB4,SHA256=E1087A4770D03A368B481C0D1239EB5284E68502C3DC14F91C003BE5BEBE2F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:04.208{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D78DE34A5DBE1354910F6DF9436056,SHA256=2AC6BCB1A806B9EFC05A628229A14B016E4C3CF94C1AD4DDA1988979F2275689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025854Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:05.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70E6008976C9A1093C021CD77AF2BEC,SHA256=4D34193D5ECD479764D1D20DDE33135E6F0A595DE2CA81A4FCE5E7D2CD81BB83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:01.968{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52253-false10.0.1.12-8000- 23542300x800000000000000045959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:05.208{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25B38D05AAC7CFD1F20E37C151FDB9F,SHA256=884C7E7728A01FC9F4733ADB7522CAFDA9CA8B3E839E1DF91CA6323E874C4804,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025853Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:02.661{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025855Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:06.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1A92B8F7A4A0EA24C68C153816B4C1,SHA256=A16EDCA12D1351B3701CDA67ADB39CC0075EFF42F7A9475A12E6DB1F9C1D4D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:06.208{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D2DD82E7E42DED1CE229148B118C88,SHA256=E09B407B662547F6DA14FEAA272B6140EA79D3C51A58CDAAB3490AF4DB75E48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025869Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA3F-6124-9306-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025868Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025867Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025866Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025865Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025864Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025863Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025862Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025861Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025860Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025859Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA3F-6124-9306-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025858Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.848{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA3F-6124-9306-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025857Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.849{D371C250-BA3F-6124-9306-00000000F101}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025856Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44CE17507DE160E2A18BEBB24CAE7CD,SHA256=1E5EDC65FF6CEC434571CB9B383858A17EE2D4E6C61907590203645E1CC97764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1EC969CDDC080FA0BDF11430DF09D816,SHA256=E7D28D01908750FC1A53A3601E18BB9DA643814126D4267496FA1A595DF872CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E5BEB2B67AF7AF8A216CE1515B53A493,SHA256=64203FAC6D1A8817FF9CAD75220AB23213CEE909986EDA47AC65BBC3A0B9B81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=EFF44F3238E731103F0DD7BE6332E536,SHA256=AE35F1BA8695E7D58A710BA1D14B341FAFC68C84AA3C274E0F072CE97D3D6FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6BB11C2F05A4A3DCD6C8FAE3AED72D76,SHA256=6D78FEEDAF6E344F256D76483532A324646F8A2835375684E11837F99F52CAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=C1C9E779A9CA8690362402CBCAABC7C5,SHA256=CC128B11C975D8F748AD1EE73B5314FAE4C58AAAAAAEE1FFB3C18DC178B52E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=EF7E24F067F55022412D189B8006090F,SHA256=D6626A71D8B321917AB90F0CED22E39C2BDF6376DD6DB5E01E6250055DBF0741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=F0FA4BF16E96679406AD9C23E9DF525F,SHA256=7DDF25D6C61BCF27632BB1877291BBD242B75C9067F984358F03212C6179E6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.338{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=53142808DA16B451262EB7F3668844ED,SHA256=57F06C2F1098FC996FEE0750F0D87A857EF01D74FB0D3EF2F0878A08F327745E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.238{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD097678F6794FBA76981C58E56E0AFE,SHA256=1EC5EC9355B2684170EC83C542265CFC8FC2B42E0CCF69B1AA7691F59029C54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:08.321{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3288248A84EFBEDBEFA64BD4C0DBFE62,SHA256=AE58E1D8542178B44197F97BFB308B07D73949E25CC849CD551B891B84BC3255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:08.253{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97EB6A847B9F0886719448DB45324E0,SHA256=9747C8272871BD24FB454EA2ACE8ED1987328449CFF5849A8D202CE049461D8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025882Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA40-6124-9406-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025881Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025880Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025879Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025878Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025877Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025876Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025875Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025874Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025873Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025872Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA40-6124-9406-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025871Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.520{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA40-6124-9406-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025870Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:08.521{D371C250-BA40-6124-9406-00000000F101}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025899Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.208{D371C250-BA41-6124-9506-00000000F101}17002852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025898Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA41-6124-9506-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025897Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025896Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025895Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025894Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025893Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025892Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025891Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025890Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025889Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025888Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA41-6124-9506-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000025887Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8A5BDBF5CE6EDCA66E9408B346EB28,SHA256=4A6A5F9A36547E3B579815BF8E971E4DA184577FE2CFC4AC8E4A525403D50689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025886Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA41-6124-9506-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025885Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.069{D371C250-BA41-6124-9506-00000000F101}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025884Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADD21D906EAABA0E104D0F21D4F082E,SHA256=D0B6A48B27F1F0BC7285AC1FAEC48DB23C8F8A48114D54BA4AEAC8A5B24A2DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025883Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:09.067{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A733AC25BD9BDC4C543FBD7AB5C5F714,SHA256=01CF2B2CDD23A415DDEC8D5750023283C0B8EA79B17E26D2ECD08375741A5FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:09.270{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7915D305E87DAE59A11451748561E4,SHA256=E410185E002D3EA5E96E6FD4B6F36B2D360C87022D21AEAB8091B7F430CDF797,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025916Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:07.849{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025915Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.288{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8A5BDBF5CE6EDCA66E9408B346EB28,SHA256=4A6A5F9A36547E3B579815BF8E971E4DA184577FE2CFC4AC8E4A525403D50689,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025914Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.273{D371C250-BA42-6124-9606-00000000F101}31202848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025913Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.210{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43A505DF645CCB2B798C7587D2202C3,SHA256=4EB3454BE25E65605766E403F7B72837874A0151068B452C409D4A8B3ECC0C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:10.274{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C58AAC454CC1ED2FE16B39E36D8333E,SHA256=2D047A91998E7C4A1C1BF822AD7033EF766977DF270367A043FD26634E743EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025912Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA42-6124-9606-00000000F101}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025911Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025910Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025909Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025908Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025907Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025906Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025905Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025904Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025903Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025902Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA42-6124-9606-00000000F101}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025901Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.038{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA42-6124-9606-00000000F101}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025900Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:10.039{D371C250-BA42-6124-9606-00000000F101}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:07.035{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52254-false10.0.1.12-8000- 10341000x800000000000000025944Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA43-6124-9806-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025943Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025942Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025941Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025940Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025939Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025938Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025937Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025936Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025935Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025934Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA43-6124-9806-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025933Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.835{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA43-6124-9806-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025932Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.836{D371C250-BA43-6124-9806-00000000F101}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025931Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.319{D371C250-BA43-6124-9706-00000000F101}20682368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025930Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.210{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F24E729BB5AF2B37038BA3C24794F27,SHA256=E010A7FE93EFF7F3B27D8B7AF93A83E2BD5209598FFCEE117ADFB2FB55F8BA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:11.625{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-108MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:11.292{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643013E3A6F4E6A0292864763939F653,SHA256=468C1CBDBFBCF693405E908256DCF4D494D77F31BA6B98E2635D69840124AC4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025929Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA43-6124-9706-00000000F101}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025928Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025927Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025926Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025925Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025924Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025923Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025922Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025921Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025920Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025919Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA43-6124-9706-00000000F101}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025918Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.163{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA43-6124-9706-00000000F101}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025917Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.164{D371C250-BA43-6124-9706-00000000F101}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000025960Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA44-6124-9906-00000000F101}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025959Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025958Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025957Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025956Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025955Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025954Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025953Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025952Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025951Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025950Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA44-6124-9906-00000000F101}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000025949Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.507{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA44-6124-9906-00000000F101}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000025948Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.508{D371C250-BA44-6124-9906-00000000F101}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025947Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.398{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=697479A7ECEC40BDFE52B647B949B806,SHA256=7604290098AC07F51CA350D1C9BD4B1966941BBFD92BBBD180C713E76A50E71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025946Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.226{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655E93B7411FBDB745461AD2B30C4580,SHA256=603F95ED4F6B5DF7C1DC5C7A926C630F819F7E281DA26BA41539355309D11D97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.806{80A11F3A-A44E-6124-D004-00000000F001}41604572C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.791{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.791{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.639{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.307{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDD2744E527507DE3E565CB8624E369,SHA256=BDC5326CD60C04F0EDA218541E2CD32497421B24861119B63EA892EC348398E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000025945Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:11.991{D371C250-BA43-6124-9806-00000000F101}8842508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025962Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:13.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E159B907BEB9F208390F8B09E1F717E3,SHA256=E1361EE6A423B09B2D1F7EEA8EEA8BF52A6A16B0C220D678A0E8AFC381B62D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025961Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:13.241{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483567719CF60F2CD831AB4128DE18A6,SHA256=DBECD3AC9DBD44E4881E835411C4F2C5B2FFF547FFB1A62DFA2ABAD61E8CFA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:13.321{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465A5AFAF6E45D735C1F164EB0DC1115,SHA256=0D0361C20E5AF8E3C9CEBE549831626F1D8C056940B5C0FD14898EDE7D5672F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025963Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:14.413{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E64A574E59B1670DBCC1C35F0E2669,SHA256=51494D5685BC1CAC63F2A29F34CDE28AEDA455032044C8343CD9BBEA9BC8E969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:14.352{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65422C2C7E213C2661BE180B804FBDAF,SHA256=906BA1FE93AF54CB524B82D08F5AAA34AFE0D9DE39174E175D7DBFDDD523B242,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025965Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:12.851{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025964Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:15.585{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5876A206B08E7298113786984F4ADA89,SHA256=A41E057CB7C5C24CDA9A1BA2751D313239215CBF2C459C9BD22244A241E02583,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:12.082{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52255-false10.0.1.12-8000- 23542300x800000000000000045985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:15.369{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E719591E196A8214CE09F99328F09D1,SHA256=ABBA9EF5E8BDB67EF8A6A9E099F3BA062E2E4CE7327CA05264A50C8463F89EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025966Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:16.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0581BAB43975F26A31050FD7519996D1,SHA256=2B3FA3B0A1C5125FF2CF507A6D2F5AA22E883DB69AE179EC71E4EF99755BDCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:16.387{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162813C881E06DB7752BAA1C55DA8164,SHA256=406BC625A335459C5114209472A31F84E8302C2EBF7C9F3E9FBB785A343AF78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025967Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:17.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D254FE86EE1CF0773CF9D835F81D789,SHA256=6A5FA48EAAF0DD5DD1D3398EDE4DCFEBA5E797B1A245F382D34598E0B553349E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:17.403{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AACFC7063DE9F6FA44075D83ACB470,SHA256=4E6660EFC5FC1757F6C866F10F39429E0B3123994998ADEED2635F0208C3B6AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:17.334{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000025968Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:18.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF91E794CFAEC25410BC984AC0E59D3,SHA256=12147D848914D506D85A515003467D1483480E310324C026C4E0BB9A44C71B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:18.418{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D28FF75A7475AF10D78E470537CEA07,SHA256=C48D011AFAFC3B67F2B16DEF232CF094B9B40A7B5241E52E93544ABC45C0102D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025969Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:19.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67209E45BCC97F1C91E5A90E0F306A0,SHA256=2C0EC6FB69397DDD92F1AABA6D15C225443AA1AC0CE510DBA6CB52DC67BCA628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:19.448{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBED47516FD8123EAE2B65A65F976011,SHA256=EA503D11ADE2BF20B3BD7ABB1BD7B9E33796B1F72751139A84915BEB135C39F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025971Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:18.789{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025970Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:20.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008291F4BE7534EF832458A0965B20EB,SHA256=3D02BC5DD7483031F256886984CAA67BAD3A7ADC6D8A18A9C13454B99C87F742,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:17.116{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52256-false10.0.1.12-8000- 23542300x800000000000000045992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.449{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A30E4E7B51886DFE74258537E29BEC,SHA256=70728E7F8111442F54565947079E27A5EDE7D665359F263D1636DD631F5E7C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025972Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:21.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C9B338198A4EA8EB54D3FA3B2381AD,SHA256=654728E3A721DAF7811ED5CF5BEAF8ABCC98324F558E1CA2B617759BBBB3F33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:21.466{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77DEA8075F3752BE8054A049587439D,SHA256=4360E60A10471BD7DC4866BC37245C576CCFA22FA921ADB2A83FB2AD0843E167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025973Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:22.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EFA5A84E00C9A6798662B6E72251B1,SHA256=98D17E65A37A9FFDC926CAFBF673C11AE721DB9A12DF9F088396A59321490560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.618{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.487{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25E709BF3DA9B9AC94D41EF35793EF,SHA256=47DC585C10DFD2FF38A2182AC151CF229C1A22D1A419B6193A3F2CF4564EC262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.387{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+c2d950|C:\Program Files\Mozilla Firefox\xul.dll+c2d2cd|C:\Program Files\Mozilla Firefox\xul.dll+c26364|C:\Program Files\Mozilla Firefox\xul.dll+c2b7d0|C:\Program Files\Mozilla Firefox\xul.dll+c2bf2b|C:\Program Files\Mozilla Firefox\xul.dll+3b9291|C:\Program Files\Mozilla Firefox\xul.dll+c2ccf9|C:\Program Files\Mozilla Firefox\xul.dll+c2fcb2|C:\Program Files\Mozilla Firefox\xul.dll+c2c716|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c0d1e3|C:\Program Files\Mozilla Firefox\xul.dll+c0c3d5 10341000x800000000000000046000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.350{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000045995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.134{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\protections.sqlite-journalMD5=36EF19DC78839B600FA39CD0D24EDD09,SHA256=2A6065A9E6BCCEB9F244BD8C30ABB169897D27330160336FD611E7E4C367CEE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.072{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52258-false185.199.109.154cdn-185-199-109-154.github.com443https 354300x800000000000000046010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:19.492{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local55511- 354300x800000000000000046009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:19.490{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local51856- 354300x800000000000000046008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:19.404{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52257-false192.0.76.3-443https 22542200x800000000000000046007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.353{80A11F3A-A5BA-6124-9206-00000000F001}5540analytics-collector-28944298.us-east-1.elb.amazonaws.com044.195.138.131;3.215.161.145;100.26.82.72;3.224.104.154;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.352{80A11F3A-A5BA-6124-9206-00000000F001}5540collector.githubapp.com0type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;3.224.104.154;44.195.138.131;3.215.161.145;100.26.82.72;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.352{80A11F3A-A5BA-6124-9206-00000000F001}5540collector.githubapp.com0type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;::ffff:3.224.104.154;::ffff:44.195.138.131;::ffff:3.215.161.145;::ffff:100.26.82.72;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000046004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:23.502{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F02800AC3E5A07BE3D6BF336148157,SHA256=5C9835CA45759D62564B69A3B5D0D4EA721FA75080B61B2B804678C584D4E2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025974Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:23.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC341F89D2EBE9DD6C22084BCD58CD92,SHA256=A957FF2565E8532BF5EE3B635F66578165036717427F2B6D4DD08D893A4826AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025975Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:24.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074A7ABAFE344C9223785D65B37ED11E,SHA256=E0A43E4CFE394E92CDC0960501BD2D4F1F5B2E4B62CC53FF547E2015770CE412,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.439{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52259-false3.215.161.145ec2-3-215-161-145.compute-1.amazonaws.com443https 354300x800000000000000046013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:20.350{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52005- 23542300x800000000000000046012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:24.517{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85338CA0EA923DB69E4A4F346ABC400,SHA256=614A32C04B55ABF9A2874978978D6CF012DF32808D53A8AA488C40A9008C9D04,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025977Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:23.805{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025976Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:25.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B6B2CBCE6D9521EA1072B941C347C9,SHA256=CAFEF1E9CC12EFD26357D7D691DB4C979A28B7593FDFE9296ACB2541303A15DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.769{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA51-6124-2809-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.767{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.767{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.767{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.766{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.766{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA51-6124-2809-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.766{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA51-6124-2809-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.764{80A11F3A-BA51-6124-2809-00000000F001}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:22.164{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52260-false10.0.1.12-8000- 23542300x800000000000000046015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:25.532{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD964585BCBB4449C0C6D1E4416CBA3,SHA256=44C7AE6B1D74E74D7DCF9140EA6FE392E3C7C0950A62F4125BA579B791E653ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025978Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:26.616{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03CCBD0DAB97FDF069DE1BC63E7A6D2,SHA256=B5FB61DD82639D2BA242A35C13F7D57FA219DC63FAE24FD2FB14C631C39A379E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.769{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D8B8E6C3C90C692007391FFCD00E73,SHA256=859949B8D92E3FFB01BC94C219016DCED13A13C58FEC0053E862A3F44CDBDB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.769{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7578059434605C928880A042D1EDA7,SHA256=A5AC9ABB6AF3D042472BE5ABFAC661072A75F7135C5323E2E089083B5E291237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.547{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00543BE606CD5B719C529955E735AA8,SHA256=4D01D8A924ED02470B98BC4555049F6415AF9155AC386A8897C5980667E57C33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA52-6124-2909-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA52-6124-2909-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.431{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA52-6124-2909-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:26.432{80A11F3A-BA52-6124-2909-00000000F001}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025980Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:27.808{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-101MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025979Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:27.650{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EF106DA67A23862DBDD8CAB351353E,SHA256=473CD1D79C971E8DD0B7FF7D9AAAEA275A90F1E13BC849C379AA791C8A5359FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.568{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC01DAF769E0F2465634F71ACAD1F48A,SHA256=AF1794812F110C4940C75D9BE294163451457878643484EF70E012FAD80990DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.284{80A11F3A-BA53-6124-2A09-00000000F001}42964076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA53-6124-2A09-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA53-6124-2A09-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.115{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA53-6124-2A09-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.116{80A11F3A-BA53-6124-2A09-00000000F001}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000025982Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:28.877{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36700D532EBB3F1F3B9CBFE7B39AF92D,SHA256=4C893E6B998F709898D30C378831CF4270B2E256DDF9627C23A256F8923E9F51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.944{80A11F3A-BA54-6124-2C09-00000000F001}46126284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA54-6124-2C09-00000000F001}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA54-6124-2C09-00000000F001}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.798{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA54-6124-2C09-00000000F001}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.799{80A11F3A-BA54-6124-2C09-00000000F001}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C48A22B7D48B7A79DC6FF6A17E1363,SHA256=89CF2307E36C888B4313BE3BD4191D8170748636AF939912152D07402BF7F581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025981Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:28.818{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.298{80A11F3A-BA54-6124-2B09-00000000F001}71447040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D8B8E6C3C90C692007391FFCD00E73,SHA256=859949B8D92E3FFB01BC94C219016DCED13A13C58FEC0053E862A3F44CDBDB8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA54-6124-2B09-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA54-6124-2B09-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.130{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA54-6124-2B09-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:28.131{80A11F3A-BA54-6124-2B09-00000000F001}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.963{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.963{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.963{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.671{80A11F3A-BA55-6124-2D09-00000000F001}7121152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.597{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D35E96C9062110C01812D620249F5A3,SHA256=76CF405E09B6785EAE74FA23AA58F6606C896B795452399A8317BFD8F9684EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.497{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\permissions.sqlite-journalMD5=68A91F749068932505C4C4DDA9BA8ABE,SHA256=1B3FF6E458916DE4D249D9BCDB17208F8788F39BB9090D0AC49FC7D378E97AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.464{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA55-6124-2D09-00000000F001}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.462{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA55-6124-2D09-00000000F001}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.461{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA55-6124-2D09-00000000F001}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.460{80A11F3A-BA55-6124-2D09-00000000F001}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:29.144{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1720EC096C7809A6E08920748DBFA3,SHA256=C59D4B988F6610E8AB42004A31CDE03FC95225042AF23A262E4BBFA977EFB3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.916{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B444DEB26827E9FC64EA5688C97132D,SHA256=678DCE8D2E6402F0A1AFBC457D62666BA8293CA2AE7FE254D6DA986B037CE53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025983Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:30.108{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8910F5C8DFA4082F70E963E9A6DA2BC1,SHA256=57CABA49FB4EC9A10493DDB09FBBE159D9557759EE657A116521D627B9771319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.483{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACC05609933212E5F884B0C0FF7936E4,SHA256=1A750A07CE4B149E4EB1E6F3535E7D21CFD53ABBAF39AF4D0F92408056C8A4CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA56-6124-2E09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA56-6124-2E09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA56-6124-2E09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.133{80A11F3A-BA56-6124-2E09-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.117{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+3c6f81|C:\Program Files\Mozilla Firefox\xul.dll+3c6b04|C:\Program Files\Mozilla Firefox\xul.dll+3c69a8|C:\Program Files\Mozilla Firefox\xul.dll+c2d950|C:\Program Files\Mozilla Firefox\xul.dll+c2d2cd|C:\Program Files\Mozilla Firefox\xul.dll+c26364|C:\Program Files\Mozilla Firefox\xul.dll+c2b7d0|C:\Program Files\Mozilla Firefox\xul.dll+c2bf2b|C:\Program Files\Mozilla Firefox\xul.dll+3b9291|C:\Program Files\Mozilla Firefox\xul.dll+c2ccf9|C:\Program Files\Mozilla Firefox\xul.dll+c2fcb2|C:\Program Files\Mozilla Firefox\xul.dll+c2c716|C:\Program Files\Mozilla Firefox\xul.dll+3b8a98|C:\Program Files\Mozilla Firefox\xul.dll+c0d1e3|C:\Program Files\Mozilla Firefox\xul.dll+c0c3d5 10341000x800000000000000046091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.032{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.017{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.017{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.017{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:30.017{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:31.932{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D031A81AE1CD5E4CFC7D0A4EDB55F6D,SHA256=C854A2BE5E0F19D46DE2125CAF9797C5A8BEF9A7F7E13A80BF20BE6390F8F156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025984Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:31.155{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8513A036248549F0F5B12B1F7003D9,SHA256=65BF95F0BD4A4D5C80684F7CAA3B089C38E5730213640D637D8C4BB779607CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:31.416{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\permissions.sqlite-journalMD5=EF92AD15C68BAA5FF7F753E531ACBB7B,SHA256=0F9D4D9C043860BA312ED166C57786ACE5A5789E2BE9F10118633534D6D2157A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:32.932{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C168B4D24704623EFEAA5AE917C100,SHA256=F16B4C1C2F29111BE208C218F3DE4B6FD2442B2392EF01FE42DADAA936C76A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025987Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:32.749{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025986Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:32.202{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1432E17B163184048197106756B10B7F,SHA256=6A81B967025AAAC5300F5EEC4CAC20D5F3DEA66142E7B135F5B6C094F89EE5AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:27.917{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52261-false10.0.1.12-8000- 354300x800000000000000025985Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:29.797{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50954-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:33.932{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7A3174B6C8C0792CB4B40E0AD95202,SHA256=1653AABD2CFEB27296FE85B4BA0D390BD2623C5B84DFAA078094D43022400300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025988Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:33.436{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83575408100575B585B960978E846156,SHA256=E09B22D83C2E9AB7E5B302E3A02F05CD2641CB5E73F0096C30ED4353809A27AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025989Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:34.468{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B32100B844B6CDFF04ABB9E7A36ABE,SHA256=DEE11EB4A62CFE4BE131D7C6C37C344D9B868718E37602375ECD6A4BC195CC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:34.947{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB3BA904A335060CEB0467012773106,SHA256=0C59314BEBCF826AA4835D001382DEBC0E3E745DD5FCE1C6CDB522734AE7167B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:35.961{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F24801290A3085AE2DFD07A80AB54C,SHA256=7CC0B0BFB0B76BFFC27FFDF0575D001F7B7573C6A4B3156E2BE259CE7CBF072C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025991Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:35.639{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C474D0C4EE4AD9E936F9732601429B8,SHA256=194B195A438ED77FC2C2A4F08FDE368648632AD9D93F4F5DADABF2E89D44296E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025990Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:32.344{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50955-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000046111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:36.963{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD0A384336A997FC2F34FEABC6108DB,SHA256=030ABCA90A917A52C658146B1B1C3039A614B5DCFC7FCF8CD55B94AE1C7BD4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025992Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:36.639{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE25BAD2E0C6E82D1554AA96AFFB53DF,SHA256=8DC323AF08912B25941100AB7D5AA8A44E56E782A7A81FA10EB4FFF0074CDDEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:33.047{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52262-false10.0.1.12-8000- 23542300x800000000000000025994Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:37.639{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C5D4019E477B2F0359B86A4F4DC520,SHA256=C52B77D7F47F5AF71AF0E18A74ADDAECE8876F90FEE81E3CDE5D624649E44D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:37.963{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F50017B4A9EFC9099F1B9D18768E3D,SHA256=6F2EB8F92897318171122226C6AB434F02747D80374254D57C1D760067897160,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025993Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:34.844{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000025995Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:38.874{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0013600E9E6031EA54F0FFA4C7C279D,SHA256=2AEBC84F0F78848DA574D7237DA47EF8FBC1FBCF9E3FF663571D36C27DE96167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:38.984{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0498253BD02F0F5A8F5ADFFBD252BC7A,SHA256=E996001F41E77B2B1BF0FDE0A473CC3F688D16D63A61B3C1D4AC510A8C6D3AE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:35.592{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52263-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000046115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:35.592{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52263-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000046114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:38.684{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2EE5688427396852820356314A9D5D,SHA256=E67198A44E58B40821DD25CC03553B556ED843A34D72821EECDF28D8672E94A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:38.684{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE533C492EAF7085F9FF0494FB1D0E3E,SHA256=EC1E0FBE264031485D011FBACBA66BD3F2EF08F0ED85BF38EC1675AE56F05CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025996Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:40.093{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F187DCEBA47F78BD19DB235F776B0A1C,SHA256=44ACABC2835B03BD014592935AC1F63AB71C54C9C2773632F8CD508A54AC69B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:39.999{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80897FE31C3F4A9282DA6584D9FF77E,SHA256=CBD6392E80E89322FA5536357DAC0DF2EA52B58A68A589A1E3624E0BEF17047D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025997Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:41.093{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FD03869DAFA374AC9D1DB7AB0FF4A3,SHA256=A8F7443C6F82F5494178737DA0C7A6C93DC8289ADFC0843E3616E145D0C42F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:41.029{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5E3161D0EFF7EEBD352CAC2368FDC9,SHA256=FD8C904F7A9EF38FAE706A7C037F145741265E06576F18C2FD3E9D347C574736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000025998Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:42.218{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C31DFA90ADB164A82BC8CA48E1CF0AB,SHA256=1C884B675DC9718937A357594FB1B98C241352423CE5B105AA703C4582307DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:38.115{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52264-false10.0.1.12-8000- 23542300x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:42.029{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620DBD7A8047EECBACB578714F3C50CB,SHA256=ADDDCFD3DB5B52B0C0C7F6334A5AF750BCFA9065A653FB89C728A4AEA05F5EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026000Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:43.249{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C0F91CC973C69D31A48529D143B5A6,SHA256=688ACD9404A8FE8C102AB63F07C305BF8CC11A54FC9A6AE08E011BF3AA9D11C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:43.044{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524FEC89CB9753D05388223772324815,SHA256=53D2B9122AB2EB020C38ED3FBF019C634C3D0D9190792FE714F8A9AF0EF05784,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000025999Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:40.703{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50957-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026001Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:44.421{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108C7B3680287514E18D315F2F30B9F8,SHA256=D6CA9E7A55A8BF7601E4FD24FAEEEF105D654773D93D1B8C1E33A0EFF9EC37A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:44.078{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D89A74E5B64EF2D0BC2F6FE59D0673,SHA256=125B1C280C4C3B9F197B33789F5B477F42538F3456295EDAD24C835B07A20DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026002Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:45.436{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B184B94DC44D71296E57BB5259F6A6C,SHA256=88CAEF10DBBF45BAF5607DC9AA646EF52BA0B047A4A2A6A261F4D54247496EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:45.096{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BD9491265192E22B450606BD025AFA,SHA256=CD52EB8650786859D01E81C64603D71EECED1DACDFA3EE9A0DC6EEF89E2F56E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026003Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:46.468{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010AE16F93D62A341E928633F14F6F60,SHA256=4BC284FE947BCC05539C9354878FCEED78DABA1E86DD1D759E2DC99888108DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:46.105{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087194582E8893266EDBF6276EDE403,SHA256=58ADC511B68413546DDC3A19056AA019A95588F23FCE68DF82FAD81AC8124B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026004Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:47.468{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA0EE7BE8AAE76ABFB5C1A2D7CB568F,SHA256=1D926EE6C3E0CF0BC5664E05031BC2255BC4BD2410BC47CC3F49A88C54529AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:47.119{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB640B688C5F6918D20E6D7051BC162,SHA256=63DF8A64E66120F2BB4C0F22FB822D6DF55EF14FB50F0D1514CB397B5C6CAA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026006Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:48.499{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC05B455AA9610AB8C1808C29EAE462,SHA256=C31E57D3F017F1028EC4BAE8610CF0B0F725B0580B8F094CF6FB004F27E6CA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:48.121{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C766C79697C55FB4AE30EC1714D2B463,SHA256=A1AA04C2398684C2EDD075702E419449E4CC39A93B230A98E678DF37025703B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026005Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:45.822{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:44.099{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52265-false10.0.1.12-8000- 23542300x800000000000000026007Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:49.546{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0E3DD61EAD216661023CB2C7DCB630,SHA256=271CCDE52ABCA53ADE15944860D9CA24C23A817160CCC7EDBDEE2171F634C444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:49.135{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D716E98A4D896D0D0170E3D142CBD8,SHA256=46A8D062386F4C9D8952F16856E0A7F86CEBF063B297F3C00052C39A530026B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026009Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:50.795{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=719563DAF7C2EBA0482D0C39C2B1F457,SHA256=08366E4DCFEBA0ECE674D0A5D4F32A9372576A4615EAAC351A102954FF0298BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026008Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:50.670{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA69F8F67F282AB1ECF45BC1F33C967,SHA256=88D7529656E4D6CAE8364038297704071CF595948367A8B8BD0F196C9F05A298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:50.150{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F24D3C67D530A51771926FFF898652,SHA256=5C2E55B48584F3A16658C18C6021EC1434A20684B897200F93BB5FC1134B8974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026010Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:51.670{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A02E3C7A9FBD5EEDB36AD3EAF33CBB,SHA256=E4876ABF1A4F2439FDBE9BB3D05D6DF1018C4D120FA2D0879B0FBDCD803846B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:51.164{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0206864681750BD7BC95CAF9664250F,SHA256=0A6FCF96CC86A3FEA264700F89DF77C141C572CC0E7BEA9398F4180DB90DD8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:51.086{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026011Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:52.670{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB6A79BD4F3FF2ACFBB4B4741538F17,SHA256=E679108EE835E5CC6BEA43ABF23C41D8CE80AF3210EA8642685A7BA4CEFF2D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:52.181{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E4631101C659152EA58DDAC54CCA2D,SHA256=47B1F6D2272A25E2F1C266750BE198DA6D6E5FEA59AA93F95977A6D7657032C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026013Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:53.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3488AD148212383647D35EAC9E8DE32,SHA256=CB709DD9B55B2372BB3CA7F4B7EE9CAC1D492D23829A9D5907581C3691A6AE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:53.200{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FB285EE57B9F9B1784B50D6FC29EFE,SHA256=B10CE2D2BB6E629A1A01165093421AEA441422B85090918F61558A170AB1E684,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026012Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:51.765{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:49.119{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52267-false10.0.1.12-8000- 354300x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:48.981{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52266-false10.0.1.12-8089- 23542300x800000000000000026014Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:54.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8A28A86E43D4C0019A0AFEBF27CD8E,SHA256=9006E2970BAB80119587FF5AC72F5E2C4075A1B5C9634C1575B8E22058653185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:54.215{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641FE8669D3ED0C9C87EE975740CA8FC,SHA256=26B233DBA1F3456A674B29B67B50A93791501B0CFB35CEB17470DD06238C9929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026015Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:55.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE39EA626661CDB662711CC28BDC653,SHA256=63AEBE38E81882E6E187B3E2B02729DBAF71E7BB46F0C56D7C887CE0A93FDC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:55.216{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE6FF370E4F726639778B1ADA03FD72,SHA256=FB4F5433C7C6341BD7CCF2E40461A3672B58D394EFA86A833649BC5158E6DB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026016Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:56.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF1B304F565802D94DA97A5673753E5,SHA256=C1A0C5D59B27753DD6C5438D992EFA26459136AB9FDAB90D7C742235D7F67F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.247{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E57D0A291FF4876B2CE87EF48ED390,SHA256=1114FFEC8D64130777185933872BC9B050159B9E8D9A85F0A691BF4B531F1BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026017Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:57.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6A40CF0F2EE2094683C5B9739465AC,SHA256=DB3FA35006102A14E06DE939C42F4E996058899970007689D911660AD197028D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:57.248{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C083FE3562068AC601D4ED6247706ADE,SHA256=7FFE4C45261AF07A3CA9D5BE836FE6243F22D8DA56FDD2CE41536CC0E8E37B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026018Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:58.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EA6777B1524F7F9405B3FC5B214A83,SHA256=9F3D1C242F265B8AD1AEA48E514549EFAE9F40966680B456AA5E969EDD101BB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b87cfd|C:\Program Files\Mozilla Firefox\xul.dll+b9790a|C:\Program Files\Mozilla Firefox\xul.dll+b70939|C:\Program Files\Mozilla Firefox\xul.dll+b8aa60|C:\Program Files\Mozilla Firefox\xul.dll+1a5a7af|C:\Program Files\Mozilla Firefox\xul.dll+1968922|C:\Program Files\Mozilla Firefox\xul.dll+1966c5c|C:\Program Files\Mozilla Firefox\xul.dll+1962565|C:\Program Files\Mozilla Firefox\xul.dll+1b54efc|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb 10341000x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.516{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.485{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc6e|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f|C:\Program Files\Mozilla Firefox\xul.dll+1793c45|C:\Program Files\Mozilla Firefox\xul.dll+108a9c|C:\Program Files\Mozilla Firefox\xul.dll+127a92|C:\Program Files\Mozilla Firefox\xul.dll+11ac039|C:\Program Files\Mozilla Firefox\xul.dll+925a48|C:\Program Files\Mozilla Firefox\xul.dll+926176|C:\Program Files\Mozilla Firefox\xul.dll+231770|C:\Program Files\Mozilla Firefox\xul.dll+242d49|C:\Program Files\Mozilla Firefox\xul.dll+f216ad|C:\Program Files\Mozilla Firefox\xul.dll+1696a5a|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c 10341000x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.485{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc47|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f|C:\Program Files\Mozilla Firefox\xul.dll+1793c45|C:\Program Files\Mozilla Firefox\xul.dll+108a9c|C:\Program Files\Mozilla Firefox\xul.dll+127a92|C:\Program Files\Mozilla Firefox\xul.dll+11ac039|C:\Program Files\Mozilla Firefox\xul.dll+925a48|C:\Program Files\Mozilla Firefox\xul.dll+926176|C:\Program Files\Mozilla Firefox\xul.dll+231770|C:\Program Files\Mozilla Firefox\xul.dll+242d49|C:\Program Files\Mozilla Firefox\xul.dll+f216ad|C:\Program Files\Mozilla Firefox\xul.dll+1696a5a|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c 10341000x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.485{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc1c|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f|C:\Program Files\Mozilla Firefox\xul.dll+1793c45|C:\Program Files\Mozilla Firefox\xul.dll+108a9c|C:\Program Files\Mozilla Firefox\xul.dll+127a92|C:\Program Files\Mozilla Firefox\xul.dll+11ac039|C:\Program Files\Mozilla Firefox\xul.dll+925a48|C:\Program Files\Mozilla Firefox\xul.dll+926176|C:\Program Files\Mozilla Firefox\xul.dll+231770|C:\Program Files\Mozilla Firefox\xul.dll+242d49|C:\Program Files\Mozilla Firefox\xul.dll+f216ad|C:\Program Files\Mozilla Firefox\xul.dll+1696a5a|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c 23542300x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.448{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\FrhmrTPR.zip.partMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.301{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB139CBD6C118AA054242E599C64B8BB,SHA256=55FF7998DD5E15FCB3EC2CB321AC49FF9D39EFE68E02D738317C5575CB18DF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026019Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:59.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC05F89C2B6D5629856832B3E351AEF,SHA256=60DAAFC681AE045F84E7A718DD6B250FB6470E590A6B5ED1BC3F55CE65084F1F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.194{80A11F3A-A5BA-6124-9206-00000000F001}5540codeload.github.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.192{80A11F3A-A5BA-6124-9206-00000000F001}5540codeload.github.com0140.82.121.9;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.191{80A11F3A-A5BA-6124-9206-00000000F001}5540codeload.github.com0::ffff:140.82.121.9;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.463{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.463{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.463{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.463{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 23542300x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.416{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685F8D72DCC25AB5F9A9CBC8631AB6BF,SHA256=BDA68C50220E23192E1E6F3703CB0024BE92929281674EBCBE5F925E4514E896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.416{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674C793EC8E9DC57169987343FFF686E,SHA256=6FEFB242053E54CA93D237804FF70B6E3C0F3547FF92F35B06FD07E7AA570215,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.348{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.348{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 354300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:54.995{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52268-false10.0.1.12-8000- 10341000x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.301{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.301{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.263{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.263{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.216{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:59.216{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 23542300x800000000000000026021Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:00.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA852EEEBBCC1F76513E88CC7E215E3B,SHA256=DDDAF3FCB73F12F6E9C1DA9BD20CBFD1BAF09F25D0BFDCB26A0F546D39C80164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.997{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.645{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 10341000x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.614{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.609{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0|C:\Program Files\Mozilla Firefox\xul.dll+f318a0 10341000x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.607{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0|C:\Program Files\Mozilla Firefox\xul.dll+f318a0 10341000x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.607{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b87cfd|C:\Program Files\Mozilla Firefox\xul.dll+b9790a|C:\Program Files\Mozilla Firefox\xul.dll+b70939|C:\Program Files\Mozilla Firefox\xul.dll+b8aa60|C:\Program Files\Mozilla Firefox\xul.dll+1a5a7af|C:\Program Files\Mozilla Firefox\xul.dll+1968922|C:\Program Files\Mozilla Firefox\xul.dll+1966c5c|C:\Program Files\Mozilla Firefox\xul.dll+3a7a88|C:\Program Files\Mozilla Firefox\xul.dll+fd4936|C:\Program Files\Mozilla Firefox\xul.dll+fd41d3|C:\Program Files\Mozilla Firefox\xul.dll+fd43c3|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf 10341000x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.607{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+10023be|C:\Program Files\Mozilla Firefox\xul.dll+ff4816|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0 10341000x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.577{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+10023be|C:\Program Files\Mozilla Firefox\xul.dll+ff4816|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0 10341000x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.556{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc6e|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f 10341000x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc47|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f 10341000x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.532{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+eecc1c|C:\Program Files\Mozilla Firefox\xul.dll+28d7a2|C:\Program Files\Mozilla Firefox\xul.dll+28caaf|C:\Program Files\Mozilla Firefox\xul.dll+28c89a|C:\Program Files\Mozilla Firefox\xul.dll+f05c65|C:\Program Files\Mozilla Firefox\xul.dll+18d94ac|C:\Program Files\Mozilla Firefox\xul.dll+1af9cc2|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1af9f31|C:\Program Files\Mozilla Firefox\xul.dll+1afc2c9|C:\Program Files\Mozilla Firefox\xul.dll+179455f 10341000x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.399{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 354300x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.189{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52188- 354300x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52269-false140.82.121.9lb-140-82-121-9-fra.github.com443https 354300x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:56.187{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61687- 23542300x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.362{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AA8B6B7279B320FE9B28D9B0DA0E2C,SHA256=E1A0C32C381B48FB22DDF47E7277CC57031CFC5D09BDE623BE566F8A222FE2D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026020Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:22:57.688{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50960-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.331{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.331{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.331{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:00.315{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\PowerSploit-master.zip2021-08-24 09:23:00.315 10341000x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.315{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.215{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 23542300x800000000000000026022Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:01.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9823A65A72D6A8FC22BD81AB9B33DFA4,SHA256=6FDC9AAA16CFAA83D21F8F3B7270F07C8C899C0738213432D7E7922E37ADA945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:01.822{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\handlers.jsonMD5=D8865ED85ADCBBAAF1C50B8291133088,SHA256=7D4FD8B32F01A66E9357C0ABA57E3283493DCE4ED66B9C12E30E9236E2D5BF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:01.371{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9EE249EC0F6EE7EF7EC683CB8D481A,SHA256=94C48120116861D35B2756403ACE1204334C08F4D2DB758B1CA1297B70EB194B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026023Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:02.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FB675323610355EED83BB4C452A0AD,SHA256=F7A9396EE57BAE8130B784FD164C4D42BE01A0D00C47333859E5F2E5316480E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.412{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-391.attackrange.local61417-false172.217.18.110zrh04s05-in-f110.1e100.net443https 354300x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.305{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52271-false142.250.185.99fra16s49-in-f3.1e100.net80http 354300x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.305{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61416- 354300x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.304{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local61748- 354300x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.287{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52270-false172.217.18.110zrh04s05-in-f110.1e100.net443https 354300x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.287{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local59038- 354300x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.287{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local64012- 354300x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.281{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local57302- 354300x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.064{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local58647- 23542300x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:02.380{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8501532C4BFE73FEB3130463FB9A76AE,SHA256=4890D5FEB89CC25307FF3A9BD53CF3D2AE46A0084CC544655686EC0A63FAF11A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.292{80A11F3A-A5BA-6124-9206-00000000F001}5540sb-ssl.l.google.com02a00:1450:4001:800::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.290{80A11F3A-A5BA-6124-9206-00000000F001}5540sb-ssl.l.google.com0172.217.18.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:22:58.289{80A11F3A-A5BA-6124-9206-00000000F001}5540sb-ssl.google.com0type: 5 sb-ssl.l.google.com;::ffff:172.217.18.110;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000026024Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:03.671{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C4B5DA9C169B109440943EA9D482B2,SHA256=F242401DFDB64C82C0887B79A116D103A6EB7E7C786EA975887F5669CFD201E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:03.388{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FE5D941692820C1827BDE460C89C59,SHA256=F5C4B62F6AD4AF366051C9023BB0C08E47BCF82C3728ADDDA2561CE22029A70F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.000{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52272-false10.0.1.12-8000- 23542300x800000000000000026025Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:04.859{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CDC43AC4DBA31A744AD5FC3AFEA6DF,SHA256=1D58A07B51BB9A66B523D58753CF743E26B8F037C802782154219A0049D2E81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.392{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECC1E425765176476BCA57823658BCF,SHA256=499138EA0996C85F4283C03ECAA5031799BD5B904051783A2CB8D4204C80706E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:00.091{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53284- 10341000x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.242{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.210{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.177{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:04.114{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 23542300x800000000000000026026Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:05.937{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7B8448B3BA721E8BE587C94569E077,SHA256=6ED9E6C35DCF125457D4E40BEA62D0FA8F2EC6652AA8D1B5CBC3E9ED55BF53F7,IMPHASH=00000000000000000000000000000000falsetrue 15241500x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.464{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\PowerSploit-master.zip:Zone.Identifier2021-08-24 09:22:58.432MD5=477B2B769AF258AD1AC67EA0AC530751,SHA256=CB929A50A99FB168AABA5ACD1AC207AE3D1EC1A983564364317A5855CE9A0DAB,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://github.com/PowerShellMafia/PowerSploit/ HostUrl=https://codeload.github.com/PowerShellMafia/PowerSploit/zip/refs/heads/master 11241100x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:05.464{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\PowerSploit-master.zip:Zone.Identifier2021-08-24 09:22:58.432 15241500x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.445{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\PowerSploit-master.zip2021-08-24 09:22:58.432MD5=7964BE12208AF3A8AFCF33549550C6A3,SHA256=9C88F63F1E6604FA77C787ACB031A7B061A46A4669D4D316CD03712AB27728C4,IMPHASH=00000000000000000000000000000000- 10341000x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.454{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b849b8|C:\Program Files\Mozilla Firefox\xul.dll+19e3b6c|C:\Program Files\Mozilla Firefox\xul.dll+1695212|C:\Program Files\Mozilla Firefox\xul.dll+1a0cb1c|C:\Program Files\Mozilla Firefox\xul.dll+a0e96f|C:\Program Files\Mozilla Firefox\xul.dll+2640e|C:\Program Files\Mozilla Firefox\xul.dll+1a1568|C:\Program Files\Mozilla Firefox\xul.dll+1a041f|C:\Program Files\Mozilla Firefox\xul.dll+41e224a|C:\Program Files\Mozilla Firefox\xul.dll+424df6d|C:\Program Files\Mozilla Firefox\xul.dll+424ebe3|C:\Program Files\Mozilla Firefox\xul.dll+1ef3c13|C:\Program Files\Mozilla Firefox\firefox.exe+5cdd|C:\Program Files\Mozilla Firefox\firefox.exe+1bbe8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.451{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 23542300x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.392{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B25C0B0FA614FFADF4A0D841E3CBE9F,SHA256=0A1A90D879EEAF32BF9FEE2C109183E6A7AB46A2352C51A7F5AE4F998B234F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:06.942{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\downloads.jsonMD5=F7B8A2B4D9B4CC256E9B8B2DA834C2F0,SHA256=EAB8C4459B3A3BE1ADA157ED1656636731905D3199913362C20F610C7DF6576E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:06.804{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\cache2\doomed\21097MD5=65236FE79BC6084BB91254E52CE6A8C3,SHA256=CE3AEC11CEFB12B5BFA3E27B2B8C89F0525A2EFE7AD01E76F8DE354F12551E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:06.803{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\cache2\doomed\31455MD5=0C0BC2FBCD62F95CC65D695B85D85DCC,SHA256=EBD16012FC9FF5A03C1ABE098AA0F5E3C7E32462679A97C623E76A524B480834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:06.405{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C197302E0219788B99A9B23E22CA126,SHA256=568C458FB92C8DDAD15350EBB4DDE21937A95FC43994DDADD5EDBB9037DA438D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026027Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:03.657{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50961-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:07.564{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22|C:\Program Files\Mozilla Firefox\xul.dll+1af09e0|C:\Program Files\Mozilla Firefox\xul.dll+f318a0 23542300x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:07.427{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A534EB9E74F73842B74D024BC66A2A,SHA256=3702BE3CB155A52E23685AC3907FB09BF15A0DFB86F06BF9C5DC76A050B85E78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026042Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.984{D371C250-BA7B-6124-9A06-00000000F101}5122988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026041Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7B-6124-9A06-00000000F101}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026040Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026039Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026038Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026037Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026036Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026035Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026034Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026033Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026032Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026031Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BA7B-6124-9A06-00000000F101}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026030Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.843{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7B-6124-9A06-00000000F101}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026029Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.844{D371C250-BA7B-6124-9A06-00000000F101}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026028Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:07.171{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24639391F19617B4C1DDEFC23570B608,SHA256=B576D12265E8F65C4C5775073EED299A2A429D430145478576134DA3E472CFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026058Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.874{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5A3F3F87B0172B2E682A6E7C18057B4,SHA256=EE66658F9D02DA65532B8E299DEAEF3A0BD0D14B7B6813A29FB173A2936B171E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026057Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.874{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B394A47CA71900E4345EE1237B828A03,SHA256=9B6FC9792C4A63C6B6CF4BA24D8ABB1C163C93A256A206AC75443D4A1B26D4F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026056Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7C-6124-9B06-00000000F101}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026055Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026054Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026053Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026052Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026051Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026050Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026049Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026048Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026047Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA7C-6124-9B06-00000000F101}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026046Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026045Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.421{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7C-6124-9B06-00000000F101}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026044Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.423{D371C250-BA7C-6124-9B06-00000000F101}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026043Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.405{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E63B26B6AEFCCBD0E2C60B620B7A86,SHA256=031EAB42ACFBCA0CA7B35B9F1EF71789A6BD8A3589C73C0BD005C44E4CC6147C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:08.438{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910E6B934B2150F7E937FCA03ED1B879,SHA256=9341E4015793D91ABB09877E9692F19FBCFCCE7BED06A8CAFFA91CAD00C3BE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:08.320{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1696D03813F0D85745432B26D862D553,SHA256=4083883E8C937E2010541328816FC221B40466D4FA7405B8FD62904C2451AFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026072Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A396C60C6CA571952D8540970A0FB1,SHA256=D3E67002F045B30A6C559CC47F54BF549ADF6BD8478EF31FC597E5D3D87AB588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:09.442{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0189FA26C7CD79B34333C56E2AFBAC,SHA256=61AB5B5F4105267AAF6F342BA1333DC504F889AA3E43412DF0FF5BCD3BAE4927,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026071Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7D-6124-9C06-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026070Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026069Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026068Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026067Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026066Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026065Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026064Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026063Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026062Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026061Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA7D-6124-9C06-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026060Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.046{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7D-6124-9C06-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026059Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:09.047{D371C250-BA7D-6124-9C06-00000000F101}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:05.062{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52273-false10.0.1.12-8000- 354300x800000000000000026089Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:08.768{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50962-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026088Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1112C65ABE5DFB10FC55D6C0741B9C,SHA256=286924CF6285A6339E3DECB98B0E7986AD9F0F635D51413AF1AA4D107B7D03BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:10.446{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6266A492B6676F28A99795089DAFDEC6,SHA256=8A9D0B21F147162162286A79DB09DA9918424CCC9E9858DE2A5B7E55B9E55566,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026087Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.174{D371C250-BA7E-6124-9D06-00000000F101}3168416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026086Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.049{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5A3F3F87B0172B2E682A6E7C18057B4,SHA256=EE66658F9D02DA65532B8E299DEAEF3A0BD0D14B7B6813A29FB173A2936B171E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026085Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7E-6124-9D06-00000000F101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026084Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026083Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026082Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026081Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026080Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026079Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026078Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026077Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026076Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026075Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BA7E-6124-9D06-00000000F101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026074Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.033{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7E-6124-9D06-00000000F101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026073Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:10.034{D371C250-BA7E-6124-9D06-00000000F101}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026117Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7F-6124-9F06-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026116Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026115Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026114Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026113Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026112Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026111Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026110Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026109Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026108Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026107Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BA7F-6124-9F06-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026106Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.846{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7F-6124-9F06-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026105Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.847{D371C250-BA7F-6124-9F06-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026104Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DB9510F2738BCD974786573ADA5476,SHA256=2F95C3576AC5F6A6395B7264B95515473C99EBF0E744EC9280C155DAF901D142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:11.451{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAD438EDA02BF4084F169AB76D52076,SHA256=D1E86D6A2162880A20B868D9F9FE837E005996A987613C66C235DD2FD0925C36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026103Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.377{D371C250-BA7F-6124-9E06-00000000F101}3200840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026102Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA7F-6124-9E06-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026101Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026100Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026099Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026098Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026097Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026096Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026095Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026094Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026093Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026092Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BA7F-6124-9E06-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026091Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.174{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA7F-6124-9E06-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026090Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:11.175{D371C250-BA7F-6124-9E06-00000000F101}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026133Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFDC055B5DA611632242EC2CCED6F50,SHA256=06543254541786FC1F7F0D73E5F512C8BF11165B54277EB15E0C0274B3554DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:12.458{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0940B585AEAA95DFAEADA69F9F22A928,SHA256=9A291E75F3D817714659096981E751250B03868BE5C8EB4CAAE545A3AE324C8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026132Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BA80-6124-A006-00000000F101}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026131Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026130Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026129Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026128Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026127Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026126Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026125Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026124Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026123Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026122Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BA80-6124-A006-00000000F101}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026121Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.346{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BA80-6124-A006-00000000F101}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026120Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.347{D371C250-BA80-6124-A006-00000000F101}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026119Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.190{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11C641AE9BA28D48D2F98A0DDA5794B9,SHA256=3E160ED8D68AA218E1CEDC785DD7EDCC118C52C1438197637CF5C62AC2B8863E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026118Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:12.096{D371C250-BA7F-6124-9F06-00000000F101}824428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026135Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:13.877{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B842E40F400308702C837E2E8F36E3,SHA256=6DDEE4D4D262A3FEB683966919BE3B5387A384EBFDFC30AA732FAAB5C2CFC0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:13.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10616A983B36B51E29481DDC47E5857C,SHA256=ADD2D981F7328B132E9162CCD8BF59B04D3725E063C871DACC0B5D7C63B1E7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026134Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:13.346{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38F1324123D5E4EA10BE81FE89A1BA74,SHA256=D935D1B7A3E81438E7455D0BCAB1E44CDF95CE9B2C5E2FAB92A715CB21561084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:13.156{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-109MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:14.589{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29106B41B039617FD8EF37AE6675A229,SHA256=BFC19A34943AA150C6BABD44EAB3D1AFC9DDC84001FE1EF3A02DFE06DFDD30DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:14.155{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:15.593{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDA2A8B00426FA03915EFA297097E35,SHA256=9031D8F9F29FD6BC7DA4ABE7D30744D60BE73D333177D4E12C80603CBA1381EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026136Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:15.049{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B578FA80E3D0140A7E5301B50309E41E,SHA256=2EB944ACE7D05057EF2ED6A42BAB36C938D6CA4C26EF78EA26E81115E5EBFF2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:10.981{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52274-false10.0.1.12-8000- 23542300x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.915{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.610{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31D3BB781BE08CF665DAC3FF3DDC00A,SHA256=09264E0FDB1B879CE1BF1B1DDCA7D563454CFDF4793C48C4E0CD7CAEF54AC123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026137Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:16.268{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E47CE5D9D9AA3ECA26DE49760F1EC5,SHA256=D25DD9D270E8923127386F920B842B9E47A2411DAF8F248195B3DA3DA3504E5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.347{80A11F3A-A5BA-6124-9206-00000000F001}55401716C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+ef672e|C:\Program Files\Mozilla Firefox\nss3.dll+7692d|C:\Program Files\Mozilla Firefox\nss3.dll+8e041|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.339{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+ba5521|C:\Program Files\Mozilla Firefox\xul.dll+b81e63|C:\Program Files\Mozilla Firefox\xul.dll+b82017|C:\Program Files\Mozilla Firefox\xul.dll+ba543f|C:\Program Files\Mozilla Firefox\xul.dll+c17c75|C:\Program Files\Mozilla Firefox\xul.dll+c16dd3|C:\Program Files\Mozilla Firefox\xul.dll+c1647a|C:\Program Files\Mozilla Firefox\xul.dll+c0dea3|C:\Program Files\Mozilla Firefox\xul.dll+c17820|C:\Program Files\Mozilla Firefox\xul.dll+fccd79|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ff9d4e|C:\Program Files\Mozilla Firefox\xul.dll+1a5baca|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d|C:\Program Files\Mozilla Firefox\xul.dll+eccfbb|C:\Program Files\Mozilla Firefox\xul.dll+ecc9a4|C:\Program Files\Mozilla Firefox\xul.dll+2bbb22 23542300x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:17.612{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C257C2EEDE47B1948C8FB513C2E860C8,SHA256=BC56B516857E9D3F9B16EB63008C1CBA9240444EF6E652173B0269C635347B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026139Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:17.315{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC08D0B036A3A87BEEA113D6C1418F91,SHA256=AC59B6DFA456169942E5B3BB126447D4C19B29A592E36F000F151DA489210868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:17.234{80A11F3A-A44D-6124-C804-00000000F001}50644308C:\Windows\system32\taskhostw.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000026138Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:13.848{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50963-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026140Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:18.424{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021E3A18EE3315059DBA69B7A54CB747,SHA256=3134C9168466B4E67979CB4274D9DA6D56BB087DC5A1E0DC7F4F05409218B176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:18.623{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E8DD78A6B60667B84ED5865829B342,SHA256=34202126E3D8AF1FD4C4D9F5EEA0D864793A5E1CA757EE2EF2C8E1838C5AF9A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:18.520{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:18.505{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:18.505{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026141Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:19.549{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBB81D9D0410C951377DDC88F509DCA,SHA256=B3EA41BBEB938E6DBB20512DC00AAE2DF3F3FC97632BFAD4A5CCC142758A5BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:19.625{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D6E9C1E1D14B1822045C74B386E509,SHA256=F069514DD498342617630F99054BAE1341A29F3A2A31169417313F013CAD6CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026142Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:20.580{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62C9FD81734678E76AFCD1FC83D4F53,SHA256=BAAAE1DC0C17A9B07F2FC19277DF0D1C362F3AE88EECF0D60EB80A366D8635D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:20.628{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D56055E69E8A67E654DDE7269D0AA,SHA256=9FC3998057A8EC715D766AD6F337A490034C36D679363087E2C898637A2017DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:16.026{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52275-false10.0.1.12-8000- 23542300x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:21.632{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B77FF6FFF049ADDA4C62C92BF3932E0,SHA256=DC8786779E5FD35CBC95797D22A80DDBA1C3AFDE62C86C1384AB89706C25FA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026143Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:21.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F751DC18342D4B3BB0B9EFBBD6AD5FF,SHA256=EDBF9200E190C5276DE64815CD5EC3206BC6BBACE143BC3FE9962EDF629FA7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026145Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:22.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061099DFAAD79AC84679C6628B75AD7B,SHA256=F4DA6A2F6B3C5E64357B3904EED52F57D6F11A35A3D18D695BFC3F8DDA6557E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:22.635{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC22AF8D0B80A7F9138738ABBB704B3,SHA256=485B811302FD1AF8EA6338F02485FF65D3411A4BFC7C7102EBDEE3C987BB7318,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026144Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:19.676{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50964-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026146Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:23.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC3C2C0A007F2123C580CDCEAFEAA81,SHA256=4893341BB3CF8D643CF3BD45D1A333DC3DA68D8565FF3B4E4F2F89E23BA6490E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:23.637{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50BD2D35DC675D75C5B4DC0DC0D4A08,SHA256=34337EFDA06F2CA17EC28671B890FDFC0A3E0EE74D2F6DD85090AC1B640D30E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026147Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:24.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65032065495D98D4E897DFD6B64508C2,SHA256=41CFAD06ADD86D23FC09203F4FAFA93D877ED2213FF365E06A1014B3ADB9C497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:24.658{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46866BFA35883F89E5F59F64F6A2C27,SHA256=2D8F6CB9D1C11A71FADC073AA7AF318D91EC8896C4734C12FF3FEE0BBC3C2D82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:24.331{80A11F3A-A5BA-6124-9206-00000000F001}55401596C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b9391|C:\Program Files\Mozilla Firefox\xul.dll+a0c244|C:\Program Files\Mozilla Firefox\xul.dll+a302c9|C:\Program Files\Mozilla Firefox\xul.dll+a301ea|C:\Program Files\Mozilla Firefox\xul.dll+a2fdd9|C:\Program Files\Mozilla Firefox\xul.dll+a2c15f|C:\Program Files\Mozilla Firefox\xul.dll+a2c46c|C:\Program Files\Mozilla Firefox\xul.dll+b7963a|C:\Program Files\Mozilla Firefox\xul.dll+2f2b99|C:\Program Files\Mozilla Firefox\xul.dll+2f2aa4|C:\Program Files\Mozilla Firefox\xul.dll+2f288d|C:\Program Files\Mozilla Firefox\xul.dll+2f2724|C:\Program Files\Mozilla Firefox\xul.dll+bcac13|C:\Program Files\Mozilla Firefox\xul.dll+bcb8e1|C:\Program Files\Mozilla Firefox\xul.dll+bca90d|C:\Program Files\Mozilla Firefox\xul.dll+bca862|C:\Program Files\Mozilla Firefox\xul.dll+b9a490|C:\Program Files\Mozilla Firefox\xul.dll+1a5bafb|C:\Program Files\Mozilla Firefox\xul.dll+ba02ee|C:\Program Files\Mozilla Firefox\xul.dll+ff213d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaaf|C:\Program Files\Mozilla Firefox\xul.dll+2d4d1d 10341000x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:24.326{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:24.326{80A11F3A-A5BA-6124-9206-00000000F001}55405380C:\Program Files\Mozilla Firefox\firefox.exe{80A11F3A-A5BC-6124-9306-00000000F001}1640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e60|C:\Program Files\Mozilla Firefox\firefox.exe+37d56|C:\Program Files\Mozilla Firefox\firefox.exe+49330|C:\Program Files\Mozilla Firefox\firefox.exe+4902c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026148Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:25.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5D0B92DD99BC62AC92F64EAC6ACBF5,SHA256=844454362565C3DE6EF7FCCF658320CABEA4DDED9977D3C6890EDB31A27DF0C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.775{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA8D-6124-2F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.772{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.772{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.771{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.770{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA8D-6124-2F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.770{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.770{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA8D-6124-2F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.769{80A11F3A-BA8D-6124-2F09-00000000F001}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.664{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEA2F5A6D48A3D39242760D4AD648FE,SHA256=9104A14CA2DFBA29BF780F54B07567320B48C53FE2DAC0AC0442EBA670C92EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:21.923{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52276-false10.0.1.12-8000- 13241300x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:25.159{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXEHKU\S-1-5-21-3401929934-754655068-3831493345-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B8CDCB65-B1BF-4B42-9428-1DFDB7EE92AF} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.149{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.149{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.148{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:25.147{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026149Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:26.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC87D2B0C779711725DD577FB67B14C,SHA256=3DE64342617298930DAA54F32369F917AF3F12812A3DD064E1C3207049A3177B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.990{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.989{80A11F3A-A44E-6124-D004-00000000F001}41606380C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+4f38|C:\Program Files\7-Zip\7-zip.dll+61c5|C:\Program Files\7-Zip\7-zip.dll+698e|C:\Program Files\7-Zip\7-zip.dll+6aa9|C:\Program Files\7-Zip\7-zip.dll+8771|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026 154100x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.980{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe19.007-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Administrator\Downloads\PowerSploit-master\" -spe -an -ai#7zMap7642:114:7zEvent18907C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=04FB3AE7F05C8BC333125972BA907398,SHA256=2FB898BACB587F2484C9C4AA6DA2729079D93D1F923A017BB84BEEF87BF74FEF,IMPHASH=9CF6F80DD6DFE9900700C1E11C318B2A{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.820{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=068E86E6F388D502F0D01C074A678F76,SHA256=87F88412F3C4819B92551E75D4131953E1BD217E7B8A4F042C8ED5EE788A3176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.819{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2EE5688427396852820356314A9D5D,SHA256=E67198A44E58B40821DD25CC03553B556ED843A34D72821EECDF28D8672E94A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.677{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F35621C63568DA1805C8BAF42F0B03,SHA256=FEAC676C6DCFEF4ECA1DDE2F9E1EC321EA59D75475D490382D21A7B940C58D32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.454{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA8E-6124-3009-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.452{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.452{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.451{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.451{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.451{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BA8E-6124-3009-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.451{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA8E-6124-3009-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.450{80A11F3A-BA8E-6124-3009-00000000F001}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026151Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:27.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D3F1F446D28B07BB52C32D385812F4,SHA256=F4153C47B09989CFBDA87815606587FBE7EADE6F9189B986ED477A6436FC3B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046663Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.690{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E7A28C5E25A0A232901D184FE30452,SHA256=351D33A783152B7C2B0549C2AA924B917501DA764163CFA49D846B6318338A1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026150Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:24.817{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046662Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.514{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09C885180569303B48E878C4E150227,SHA256=2493C4FF03D2C6067BE5476B15F571BFA1A3D8522309DAA151517E949C8C2FE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046661Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.398{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\mkdocs.yml2021-08-24 09:23:27.398 11241100x800000000000000046660Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.397{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\index.md2021-08-24 09:23:27.397 11241100x800000000000000046659Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.397{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification\Remove-Comment.md2021-08-24 09:23:27.397 11241100x800000000000000046658Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.396{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification\Out-EncryptedScript.md2021-08-24 09:23:27.395 11241100x800000000000000046657Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.395{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification\Out-EncodedCommand.md2021-08-24 09:23:27.395 11241100x800000000000000046656Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.394{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification\Out-CompressedDll.md2021-08-24 09:23:27.394 11241100x800000000000000046655Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.394{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\ScriptModification2021-08-24 09:23:27.394 11241100x800000000000000046654Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.393{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\index.md2021-08-24 09:23:27.393 11241100x800000000000000046653Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.393{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Test-AdminAccess.md2021-08-24 09:23:27.392 11241100x800000000000000046652Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.392{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Set-DomainUserPassword.md2021-08-24 09:23:27.391 11241100x800000000000000046651Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.391{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Set-DomainObjectOwner.md2021-08-24 09:23:27.391 11241100x800000000000000046650Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.390{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Set-DomainObject.md2021-08-24 09:23:27.390 11241100x800000000000000046649Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.389{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Resolve-IPAddress.md2021-08-24 09:23:27.389 11241100x800000000000000046648Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.389{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Remove-RemoteConnection.md2021-08-24 09:23:27.389 11241100x800000000000000046647Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.388{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\New-DomainUser.md2021-08-24 09:23:27.388 11241100x800000000000000046646Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.387{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\New-DomainGroup.md2021-08-24 09:23:27.387 11241100x800000000000000046645Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.387{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-UserImpersonation.md2021-08-24 09:23:27.386 11241100x800000000000000046644Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.386{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-RevertToSelf.md2021-08-24 09:23:27.386 11241100x800000000000000046643Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.385{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-ReverseDnsLookup.md2021-08-24 09:23:27.385 11241100x800000000000000046642Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.384{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-Portscan.md2021-08-24 09:23:27.384 11241100x800000000000000046641Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.383{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Invoke-Kerberoast.md2021-08-24 09:23:27.383 11241100x800000000000000046640Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.383{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIRegProxy.md2021-08-24 09:23:27.383 11241100x800000000000000046639Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.382{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIRegMountedDrive.md2021-08-24 09:23:27.382 11241100x800000000000000046638Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.381{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIRegLastLoggedOn.md2021-08-24 09:23:27.381 11241100x800000000000000046637Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.381{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIRegCachedRDPConnection.md2021-08-24 09:23:27.381 11241100x800000000000000046636Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.380{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-WMIProcess.md2021-08-24 09:23:27.380 11241100x800000000000000046635Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.380{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-RegLoggedOn.md2021-08-24 09:23:27.379 11241100x800000000000000046634Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.379{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-PathAcl.md2021-08-24 09:23:27.378 11241100x800000000000000046633Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.377{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetShare.md2021-08-24 09:23:27.377 11241100x800000000000000046632Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.377{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetSession.md2021-08-24 09:23:27.376 11241100x800000000000000046631Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.376{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetRDPSession.md2021-08-24 09:23:27.376 11241100x800000000000000046630Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.375{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetLoggedon.md2021-08-24 09:23:27.375 11241100x800000000000000046629Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.374{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetLocalGroupMember.md2021-08-24 09:23:27.374 11241100x800000000000000046628Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.374{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetLocalGroup.md2021-08-24 09:23:27.374 11241100x800000000000000046627Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.373{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-NetComputerSiteName.md2021-08-24 09:23:27.373 11241100x800000000000000046626Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.373{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-HttpStatus.md2021-08-24 09:23:27.372 11241100x800000000000000046625Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.370{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-ForestTrust.md2021-08-24 09:23:27.370 11241100x800000000000000046624Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.369{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-ForestGlobalCatalog.md2021-08-24 09:23:27.369 11241100x800000000000000046623Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.368{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-ForestDomain.md2021-08-24 09:23:27.368 11241100x800000000000000046622Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.366{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-Forest.md2021-08-24 09:23:27.366 11241100x800000000000000046621Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.365{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainUserEvent.md2021-08-24 09:23:27.365 11241100x800000000000000046620Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.364{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainUser.md2021-08-24 09:23:27.364 11241100x800000000000000046619Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.364{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainTrustMapping.md2021-08-24 09:23:27.364 11241100x800000000000000046618Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.363{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainTrust.md2021-08-24 09:23:27.363 11241100x800000000000000046617Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.363{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainSubnet.md2021-08-24 09:23:27.362 11241100x800000000000000046616Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.362{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainSite.md2021-08-24 09:23:27.362 11241100x800000000000000046615Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.361{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainSPNTicket.md2021-08-24 09:23:27.361 11241100x800000000000000046614Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.361{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainSID.md2021-08-24 09:23:27.361 11241100x800000000000000046613Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.360{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainPolicy.md2021-08-24 09:23:27.360 11241100x800000000000000046612Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.360{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainObjectAcl.md2021-08-24 09:23:27.359 11241100x800000000000000046611Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.359{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainObject.md2021-08-24 09:23:27.359 11241100x800000000000000046610Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.358{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainOU.md2021-08-24 09:23:27.358 11241100x800000000000000046609Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.358{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainManagedSecurityGroup.md2021-08-24 09:23:27.357 11241100x800000000000000046608Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.357{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGroupMember.md2021-08-24 09:23:27.355 11241100x800000000000000046607Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.355{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGroup.md2021-08-24 09:23:27.355 11241100x800000000000000046606Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.354{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGPOUserLocalGroupMapping.md2021-08-24 09:23:27.354 11241100x800000000000000046605Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.353{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGPOLocalGroup.md2021-08-24 09:23:27.353 11241100x800000000000000046604Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.352{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGPOComputerLocalGroupMapping.md2021-08-24 09:23:27.352 11241100x800000000000000046603Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.352{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainGPO.md2021-08-24 09:23:27.352 11241100x800000000000000046602Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.351{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainForeignUser.md2021-08-24 09:23:27.351 11241100x800000000000000046601Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.350{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainForeignGroupMember.md2021-08-24 09:23:27.350 11241100x800000000000000046600Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.350{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainFileServer.md2021-08-24 09:23:27.349 11241100x800000000000000046599Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.348{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainDNSZone.md2021-08-24 09:23:27.348 11241100x800000000000000046598Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.348{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainDNSRecord.md2021-08-24 09:23:27.348 11241100x800000000000000046597Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.347{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainDFSShare.md2021-08-24 09:23:27.347 11241100x800000000000000046596Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.347{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainController.md2021-08-24 09:23:27.347 11241100x800000000000000046595Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.346{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-DomainComputer.md2021-08-24 09:23:27.346 11241100x800000000000000046594Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.345{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-Domain.md2021-08-24 09:23:27.345 11241100x800000000000000046593Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.345{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Get-ComputerDetail.md2021-08-24 09:23:27.345 11241100x800000000000000046592Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.344{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-LocalAdminAccess.md2021-08-24 09:23:27.344 11241100x800000000000000046591Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.343{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-InterestingFile.md2021-08-24 09:23:27.343 11241100x800000000000000046590Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.342{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-InterestingDomainShareFile.md2021-08-24 09:23:27.342 11241100x800000000000000046589Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.341{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-InterestingDomainAcl.md2021-08-24 09:23:27.341 11241100x800000000000000046588Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.341{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainUserLocation.md2021-08-24 09:23:27.340 11241100x800000000000000046587Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.340{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainUserEvent.md2021-08-24 09:23:27.339 23542300x800000000000000046586Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.339{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A50ADC076D9950AFF1AEAA09541E31,SHA256=3C5794F9A44BC6AE9FD3B776E79B2BCC98C15282A1D52EF52763E297C0EC13EE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046585Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.338{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainShare.md2021-08-24 09:23:27.338 11241100x800000000000000046584Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.337{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainProcess.md2021-08-24 09:23:27.337 11241100x800000000000000046583Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.336{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainObjectPropertyOutlier.md2021-08-24 09:23:27.336 11241100x800000000000000046582Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.335{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Find-DomainLocalGroupMember.md2021-08-24 09:23:27.335 11241100x800000000000000046581Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.335{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Export-PowerViewCSV.md2021-08-24 09:23:27.334 11241100x800000000000000046580Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.334{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\ConvertTo-SID.md2021-08-24 09:23:27.334 11241100x800000000000000046579Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.333{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\ConvertFrom-UACValue.md2021-08-24 09:23:27.333 11241100x800000000000000046578Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.333{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\ConvertFrom-SID.md2021-08-24 09:23:27.333 11241100x800000000000000046577Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.332{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Convert-ADName.md2021-08-24 09:23:27.332 11241100x800000000000000046576Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.331{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Add-RemoteConnection.md2021-08-24 09:23:27.331 11241100x800000000000000046575Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.330{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Add-DomainObjectAcl.md2021-08-24 09:23:27.330 11241100x800000000000000046574Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.330{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon\Add-DomainGroupMember.md2021-08-24 09:23:27.329 11241100x800000000000000046573Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.329{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Recon2021-08-24 09:23:27.329 11241100x800000000000000046572Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.329{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\index.md2021-08-24 09:23:27.329 11241100x800000000000000046571Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.328{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Write-UserAddMSI.md2021-08-24 09:23:27.328 11241100x800000000000000046570Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.328{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Write-ServiceBinary.md2021-08-24 09:23:27.327 11241100x800000000000000046569Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.327{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Write-HijackDll.md2021-08-24 09:23:27.327 11241100x800000000000000046568Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.326{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Test-ServiceDaclPermission.md2021-08-24 09:23:27.326 11241100x800000000000000046567Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.326{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Set-ServiceBinaryPath.md2021-08-24 09:23:27.326 11241100x800000000000000046566Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.325{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Restore-ServiceBinary.md2021-08-24 09:23:27.324 11241100x800000000000000046565Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.324{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Invoke-WScriptUACBypass.md2021-08-24 09:23:27.324 11241100x800000000000000046564Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.323{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Invoke-ServiceAbuse.md2021-08-24 09:23:27.323 11241100x800000000000000046563Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.323{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Invoke-PrivescAudit.md2021-08-24 09:23:27.322 11241100x800000000000000046562Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.322{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Install-ServiceBinary.md2021-08-24 09:23:27.322 11241100x800000000000000046561Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.321{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-WebConfig.md2021-08-24 09:23:27.321 11241100x800000000000000046560Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.321{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-UnquotedService.md2021-08-24 09:23:27.321 11241100x800000000000000046559Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.320{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-UnattendedInstallFile.md2021-08-24 09:23:27.320 11241100x800000000000000046558Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.320{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-System.md2021-08-24 09:23:27.319 11241100x800000000000000046557Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.319{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-SiteListPassword.md2021-08-24 09:23:27.318 11241100x800000000000000046556Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.317{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ServiceDetail.md2021-08-24 09:23:27.316 11241100x800000000000000046555Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.316{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-RegistryAutoLogon.md2021-08-24 09:23:27.315 11241100x800000000000000046554Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.315{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-RegistryAlwaysInstallElevated.md2021-08-24 09:23:27.315 11241100x800000000000000046553Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.314{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ProcessTokenPrivilege.md2021-08-24 09:23:27.314 11241100x800000000000000046552Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.314{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ProcessTokenGroup.md2021-08-24 09:23:27.314 11241100x800000000000000046551Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.313{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiableServiceFile.md2021-08-24 09:23:27.313 11241100x800000000000000046550Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.313{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiableService.md2021-08-24 09:23:27.312 11241100x800000000000000046549Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.312{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiableScheduledTaskFile.md2021-08-24 09:23:27.312 11241100x800000000000000046548Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.311{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiableRegistryAutoRun.md2021-08-24 09:23:27.311 11241100x800000000000000046547Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.311{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ModifiablePath.md2021-08-24 09:23:27.311 11241100x800000000000000046546Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.310{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-CachedGPPPassword.md2021-08-24 09:23:27.310 10341000x800000000000000046545Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.310{80A11F3A-BA8F-6124-3209-00000000F001}62406260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046544Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.309{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Get-ApplicationHost.md2021-08-24 09:23:27.309 11241100x800000000000000046543Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.309{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Find-ProcessDLLHijack.md2021-08-24 09:23:27.308 11241100x800000000000000046542Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.308{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Find-PathDLLHijack.md2021-08-24 09:23:27.308 11241100x800000000000000046541Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.307{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Enable-Privilege.md2021-08-24 09:23:27.307 11241100x800000000000000046540Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.307{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc\Add-ServiceDacl.md2021-08-24 09:23:27.307 11241100x800000000000000046539Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.306{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Privesc2021-08-24 09:23:27.306 11241100x800000000000000046538Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.306{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\New-UserPersistenceOption.md2021-08-24 09:23:27.306 11241100x800000000000000046537Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.305{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\New-ElevatedPersistenceOption.md2021-08-24 09:23:27.305 11241100x800000000000000046536Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.304{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\Install-SSP.md2021-08-24 09:23:27.304 11241100x800000000000000046535Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.303{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\Get-SecurityPackage.md2021-08-24 09:23:27.303 11241100x800000000000000046534Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.302{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence\Add-Persistence.md2021-08-24 09:23:27.302 11241100x800000000000000046533Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.302{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Persistence2021-08-24 09:23:27.301 11241100x800000000000000046532Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.300{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Mayhem\Set-MasterBootRecord.md2021-08-24 09:23:27.300 11241100x800000000000000046531Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.300{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Mayhem\Set-CriticalProcess.md2021-08-24 09:23:27.299 11241100x800000000000000046530Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.299{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\Mayhem2021-08-24 09:23:27.299 11241100x800000000000000046529Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.298{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution\Invoke-WmiCommand.md2021-08-24 09:23:27.298 11241100x800000000000000046528Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.297{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution\Invoke-Shellcode.md2021-08-24 09:23:27.297 11241100x800000000000000046527Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.296{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution\Invoke-ReflectivePEInjection.md2021-08-24 09:23:27.296 11241100x800000000000000046526Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.295{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution\Invoke-DllInjection.md2021-08-24 09:23:27.295 11241100x800000000000000046525Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.295{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\CodeExecution2021-08-24 09:23:27.295 11241100x800000000000000046524Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.294{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\AntivirusBypass\Find-AVSignature.md2021-08-24 09:23:27.294 11241100x800000000000000046523Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.294{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs\AntivirusBypass2021-08-24 09:23:27.294 11241100x800000000000000046522Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.293{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\docs2021-08-24 09:23:27.293 11241100x800000000000000046521Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.291{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\Recon.tests.ps12021-08-24 09:23:27.291 11241100x800000000000000046520Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.291{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\Privesc.tests.ps12021-08-24 09:23:27.290 11241100x800000000000000046519Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.290{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\PowerSploit.tests.ps12021-08-24 09:23:27.289 11241100x800000000000000046518Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.289{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\Exfiltration.tests.ps12021-08-24 09:23:27.289 11241100x800000000000000046517Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.288{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests\CodeExecution.tests.ps12021-08-24 09:23:27.288 11241100x800000000000000046516Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.287{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Tests2021-08-24 09:23:27.287 11241100x800000000000000046515Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.286{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Usage.md2021-08-24 09:23:27.286 11241100x800000000000000046514Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.286{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\ScriptModification.psm12021-08-24 09:23:27.286 11241100x800000000000000046513Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.285{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\ScriptModification.psd12021-08-24 09:23:27.285 11241100x800000000000000046512Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.285{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Remove-Comment.ps12021-08-24 09:23:27.284 11241100x800000000000000046511Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.283{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Out-EncryptedScript.ps12021-08-24 09:23:27.282 11241100x800000000000000046510Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.282{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Out-EncodedCommand.ps12021-08-24 09:23:27.282 11241100x800000000000000046509Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.281{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification\Out-CompressedDll.ps12021-08-24 09:23:27.281 11241100x800000000000000046508Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.281{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\ScriptModification2021-08-24 09:23:27.281 11241100x800000000000000046507Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.280{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Recon.psm12021-08-24 09:23:27.280 11241100x800000000000000046506Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.279{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Recon.psd12021-08-24 09:23:27.279 11241100x800000000000000046505Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.279{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\README.md2021-08-24 09:23:27.279 11241100x800000000000000046504Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.273{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps12021-08-24 09:23:27.273 11241100x800000000000000046503Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.273{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Invoke-ReverseDnsLookup.ps12021-08-24 09:23:27.272 11241100x800000000000000046502Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.272{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Invoke-Portscan.ps12021-08-24 09:23:27.271 11241100x800000000000000046501Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.271{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Invoke-CompareAttributesForClass.ps12021-08-24 09:23:27.271 11241100x800000000000000046500Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.270{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Get-HttpStatus.ps12021-08-24 09:23:27.269 11241100x800000000000000046499Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.269{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Get-ComputerDetail.ps12021-08-24 09:23:27.269 11241100x800000000000000046498Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.268{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Dictionaries\sharepoint.txt2021-08-24 09:23:27.268 11241100x800000000000000046497Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.267{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Dictionaries\generic.txt2021-08-24 09:23:27.267 11241100x800000000000000046496Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.266{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Dictionaries\admin.txt2021-08-24 09:23:27.266 11241100x800000000000000046495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.266{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon\Dictionaries2021-08-24 09:23:27.266 11241100x800000000000000046494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.266{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Recon2021-08-24 09:23:27.266 11241100x800000000000000046493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.265{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\README.md2021-08-24 09:23:27.265 11241100x800000000000000046492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.265{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\README.md2021-08-24 09:23:27.265 11241100x800000000000000046491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.264{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\Privesc.psm12021-08-24 09:23:27.263 11241100x800000000000000046490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.263{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\Privesc.psd12021-08-24 09:23:27.263 11241100x800000000000000046489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.257{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\PowerUp.ps12021-08-24 09:23:27.256 11241100x800000000000000046488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.256{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc\Get-System.ps12021-08-24 09:23:27.256 11241100x800000000000000046487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.255{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Privesc2021-08-24 09:23:27.255 11241100x800000000000000046486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.255{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\PowerSploit.sln2021-08-24 09:23:27.255 11241100x800000000000000046485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.254{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\PowerSploit.pssproj2021-08-24 09:23:27.254 11241100x800000000000000046484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.253{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\PowerSploit.psm12021-08-24 09:23:27.253 11241100x800000000000000046483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.253{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\PowerSploit.psd12021-08-24 09:23:27.253 11241100x800000000000000046482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.252{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Persistence\Usage.md2021-08-24 09:23:27.252 11241100x800000000000000046481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.251{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Persistence\Persistence.psm12021-08-24 09:23:27.250 11241100x800000000000000046480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.250{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Persistence\Persistence.psd12021-08-24 09:23:27.250 11241100x800000000000000046479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.249{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Persistence2021-08-24 09:23:27.249 11241100x800000000000000046478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.249{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Mayhem\Usage.md2021-08-24 09:23:27.249 11241100x800000000000000046477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.248{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Mayhem\Mayhem.psm12021-08-24 09:23:27.248 11241100x800000000000000046476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.247{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Mayhem\Mayhem.psd12021-08-24 09:23:27.247 11241100x800000000000000046475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.247{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Mayhem2021-08-24 09:23:27.247 11241100x800000000000000046474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.247{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\LICENSE2021-08-24 09:23:27.246 11241100x800000000000000046473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.246{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\VolumeShadowCopyTools.ps12021-08-24 09:23:27.245 11241100x800000000000000046472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.244{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Usage.md2021-08-24 09:23:27.244 11241100x800000000000000046471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.244{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Out-Minidump.ps12021-08-24 09:23:27.244 11241100x800000000000000046470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.243{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\targetver.h2021-08-24 09:23:27.243 11241100x800000000000000046469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.240{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\stdafx.h2021-08-24 09:23:27.240 11241100x800000000000000046468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.240{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\stdafx.cpp2021-08-24 09:23:27.240 11241100x800000000000000046467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.239{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\dllmain.cpp2021-08-24 09:23:27.239 11241100x800000000000000046466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.239{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\ReadMe.txt2021-08-24 09:23:27.238 11241100x800000000000000046465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.238{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS_FileRecord.h2021-08-24 09:23:27.238 11241100x800000000000000046464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.237{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS_DataType.h2021-08-24 09:23:27.237 11241100x800000000000000046463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.236{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS_Common.h2021-08-24 09:23:27.236 11241100x800000000000000046462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.235{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS_Attribute.h2021-08-24 09:23:27.235 11241100x800000000000000046461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.235{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFSParserDLL.vcxproj.filters2021-08-24 09:23:27.234 11241100x800000000000000046460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.234{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFSParserDLL.vcxproj2021-08-24 09:23:27.233 11241100x800000000000000046459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.232{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFSParserDLL.cpp2021-08-24 09:23:27.232 11241100x800000000000000046458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.231{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL\NTFS.h2021-08-24 09:23:27.231 11241100x800000000000000046457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.230{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParserDLL2021-08-24 09:23:27.229 11241100x800000000000000046456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.229{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\targetver.h2021-08-24 09:23:27.229 11241100x800000000000000046455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.228{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\stdafx.h2021-08-24 09:23:27.228 11241100x800000000000000046454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.228{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\stdafx.cpp2021-08-24 09:23:27.228 11241100x800000000000000046453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.227{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\ReadMe.txt2021-08-24 09:23:27.227 11241100x800000000000000046452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.226{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS_FileRecord.h2021-08-24 09:23:27.226 11241100x800000000000000046451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.225{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS_DataType.h2021-08-24 09:23:27.225 11241100x800000000000000046450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.225{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS_Common.h2021-08-24 09:23:27.225 11241100x800000000000000046449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.224{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS_Attribute.h2021-08-24 09:23:27.224 11241100x800000000000000046448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.223{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFSParser.vcxproj.filters2021-08-24 09:23:27.222 11241100x800000000000000046447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.222{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFSParser.vcxproj2021-08-24 09:23:27.222 11241100x800000000000000046446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.221{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFSParser.cpp2021-08-24 09:23:27.221 11241100x800000000000000046445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.220{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser\NTFS.h2021-08-24 09:23:27.220 11241100x800000000000000046444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.220{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser2021-08-24 09:23:27.219 11241100x800000000000000046443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.219{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser\NTFSParser.sln2021-08-24 09:23:27.219 11241100x800000000000000046442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.219{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\NTFSParser2021-08-24 09:23:27.218 11241100x800000000000000046441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.218{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\targetver.h2021-08-24 09:23:27.218 11241100x800000000000000046440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.217{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\stdafx.h2021-08-24 09:23:27.217 11241100x800000000000000046439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.217{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\stdafx.cpp2021-08-24 09:23:27.217 11241100x800000000000000046438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.216{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\logon.vcxproj.filters2021-08-24 09:23:27.215 11241100x800000000000000046437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.215{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\logon.vcxproj2021-08-24 09:23:27.215 11241100x800000000000000046436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.214{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\logon.cpp2021-08-24 09:23:27.214 11241100x800000000000000046435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.214{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\dllmain.cpp2021-08-24 09:23:27.214 11241100x800000000000000046434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.213{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon\ReadMe.txt2021-08-24 09:23:27.213 11241100x800000000000000046433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.213{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\logon2021-08-24 09:23:27.213 11241100x800000000000000046432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.212{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\targetver.h2021-08-24 09:23:27.212 11241100x800000000000000046431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.212{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\stdafx.h2021-08-24 09:23:27.212 11241100x800000000000000046430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.211{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\stdafx.cpp2021-08-24 09:23:27.211 11241100x800000000000000046429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.210{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\ReadMe.txt2021-08-24 09:23:27.210 11241100x800000000000000046428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.210{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\LogonUser.vcxproj.filters2021-08-24 09:23:27.209 11241100x800000000000000046427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.208{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\LogonUser.vcxproj2021-08-24 09:23:27.208 11241100x800000000000000046426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.208{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser\LogonUser.cpp2021-08-24 09:23:27.208 11241100x800000000000000046425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.207{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser2021-08-24 09:23:27.207 11241100x800000000000000046424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.206{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser\LogonUser.sln2021-08-24 09:23:27.206 11241100x800000000000000046423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.206{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser\LogonUser2021-08-24 09:23:27.206 11241100x800000000000000046422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.206{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\LogonUser2021-08-24 09:23:27.205 11241100x800000000000000046421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.204{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Invoke-TokenManipulation.ps12021-08-24 09:23:27.204 23542300x800000000000000046420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.201{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482ABC3EC480E687CC2AB19180E0A855,SHA256=51A54D219ED26F26198DBD9E3198A8AB136DA4C4A3FE326CB0DF97D4825F89DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000046419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.199{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Invoke-NinjaCopy.ps12021-08-24 09:23:27.199 11241100x800000000000000046418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.174{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Invoke-Mimikatz.ps12021-08-24 09:23:27.174 11241100x800000000000000046417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.169{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Invoke-CredentialInjection.ps12021-08-24 09:23:27.169 11241100x800000000000000046416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.168{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-VaultCredential.ps1xml2021-08-24 09:23:27.168 11241100x800000000000000046415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.168{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-VaultCredential.ps12021-08-24 09:23:27.167 11241100x800000000000000046414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.167{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-TimedScreenshot.ps12021-08-24 09:23:27.167 11241100x800000000000000046413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.166{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-MicrophoneAudio.ps12021-08-24 09:23:27.166 11241100x800000000000000046412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.165{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-Keystrokes.ps12021-08-24 09:23:27.165 11241100x800000000000000046411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.165{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-GPPPassword.ps12021-08-24 09:23:27.164 11241100x800000000000000046410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.164{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Get-GPPAutologon.ps12021-08-24 09:23:27.163 11241100x800000000000000046409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.162{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Exfiltration.psm12021-08-24 09:23:27.162 11241100x800000000000000046408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.161{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration\Exfiltration.psd12021-08-24 09:23:27.161 11241100x800000000000000046407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.160{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\Exfiltration2021-08-24 09:23:27.160 11241100x800000000000000046406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.160{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Usage.md2021-08-24 09:23:27.160 11241100x800000000000000046405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.159{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-WmiCommand.ps12021-08-24 09:23:27.159 11241100x800000000000000046404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.158{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-Shellcode.ps12021-08-24 09:23:27.158 11241100x800000000000000046403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.157{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x86\GetProcAddress.asm2021-08-24 09:23:27.157 11241100x800000000000000046402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.157{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x86\ExitThread.asm2021-08-24 09:23:27.156 11241100x800000000000000046401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.155{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x86\CallDllMain.asm2021-08-24 09:23:27.155 11241100x800000000000000046400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.155{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x862021-08-24 09:23:27.154 11241100x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.154{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x64\LoadLibraryA.asm2021-08-24 09:23:27.153 11241100x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.152{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x64\GetFuncAddress.asm2021-08-24 09:23:27.152 11241100x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.151{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x64\ExitThread.asm2021-08-24 09:23:27.151 11241100x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.150{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x64\CallDllMain.asm2021-08-24 09:23:27.150 11241100x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.149{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\x642021-08-24 09:23:27.149 11241100x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.149{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode\readme.txt2021-08-24 09:23:27.148 11241100x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.148{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\Shellcode2021-08-24 09:23:27.148 11241100x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.147{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\targetver.h2021-08-24 09:23:27.147 11241100x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.146{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\stdafx.h2021-08-24 09:23:27.146 11241100x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.146{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\stdafx.cpp2021-08-24 09:23:27.145 11241100x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.145{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\ReadMe.txt2021-08-24 09:23:27.145 11241100x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.144{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\ExeToInjectInTo.vcxproj.filters2021-08-24 09:23:27.143 11241100x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.142{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\ExeToInjectInTo.vcxproj2021-08-24 09:23:27.141 11241100x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.141{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo\ExeToInjectInTo.cpp2021-08-24 09:23:27.141 11241100x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.140{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo2021-08-24 09:23:27.140 11241100x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.139{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo\ExeToInjectInTo.sln2021-08-24 09:23:27.139 11241100x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.139{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\ExeToInjectInTo2021-08-24 09:23:27.138 11241100x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.138{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\targetver.h2021-08-24 09:23:27.137 11241100x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.137{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\stdafx.h2021-08-24 09:23:27.137 11241100x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.136{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\stdafx.cpp2021-08-24 09:23:27.136 11241100x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.135{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\ReadMe.txt2021-08-24 09:23:27.135 11241100x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.135{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\DemoExe_MDd.vcxproj.filters2021-08-24 09:23:27.134 11241100x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.133{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\DemoExe_MDd.vcxproj2021-08-24 09:23:27.133 11241100x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.132{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd\DemoExe_MDd.cpp2021-08-24 09:23:27.132 11241100x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.131{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MDd2021-08-24 09:23:27.131 11241100x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.131{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\targetver.h2021-08-24 09:23:27.130 11241100x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.130{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\stdafx.h2021-08-24 09:23:27.130 11241100x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.129{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\stdafx.cpp2021-08-24 09:23:27.129 11241100x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.128{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\ReadMe.txt2021-08-24 09:23:27.128 11241100x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.127{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\DemoExe_MD.vcxproj.filters2021-08-24 09:23:27.126 10341000x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.125{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA8F-6124-3209-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.125{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\DemoExe_MD.vcxproj2021-08-24 09:23:27.125 11241100x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.124{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD\DemoExe_MD.cpp2021-08-24 09:23:27.124 10341000x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.123{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.123{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe_MD2021-08-24 09:23:27.123 10341000x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.123{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.123{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.122{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe\DemoExe.sln2021-08-24 09:23:27.122 11241100x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.122{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoExe2021-08-24 09:23:27.122 10341000x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.122{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.121{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.121{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.121{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\targetver.h2021-08-24 09:23:27.121 10341000x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.121{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.121{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.120{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.120{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.120{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BA8F-6124-3209-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 11241100x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.120{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\stdafx.h2021-08-24 09:23:27.120 10341000x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.120{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA8F-6124-3209-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.119{80A11F3A-BA8F-6124-3209-00000000F001}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.119{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.119{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\stdafx.cpp2021-08-24 09:23:27.119 11241100x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.118{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\dllmain.cpp2021-08-24 09:23:27.118 11241100x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.117{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\ReadMe.txt2021-08-24 09:23:27.117 11241100x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.116{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj.filters2021-08-24 09:23:27.115 10341000x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.115{80A11F3A-A44D-6124-C804-00000000F001}50644308C:\Windows\system32\taskhostw.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.114{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj2021-08-24 09:23:27.114 10341000x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.114{80A11F3A-A44D-6124-C804-00000000F001}50644308C:\Windows\system32\taskhostw.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.113{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.cpp2021-08-24 09:23:27.113 11241100x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.113{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess2021-08-24 09:23:27.113 11241100x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.112{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.sln2021-08-24 09:23:27.112 11241100x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.112{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL_RemoteProcess2021-08-24 09:23:27.112 11241100x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.111{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\targetver.h2021-08-24 09:23:27.111 10341000x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.111{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.111{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.110{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.110{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.110{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\stdafx.h2021-08-24 09:23:27.110 11241100x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.110{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\stdafx.cpp2021-08-24 09:23:27.109 11241100x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.109{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\dllmain.cpp2021-08-24 09:23:27.109 11241100x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.108{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\ReadMe.txt2021-08-24 09:23:27.108 11241100x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.107{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\DemoDLL.vcxproj.filters2021-08-24 09:23:27.107 11241100x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.106{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\DemoDLL.vcxproj2021-08-24 09:23:27.106 11241100x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.106{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\DemoDLL.h2021-08-24 09:23:27.105 11241100x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.105{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL\DemoDLL.cpp2021-08-24 09:23:27.105 11241100x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.104{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL2021-08-24 09:23:27.104 11241100x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.103{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL\DemoDLL.sln2021-08-24 09:23:27.103 11241100x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.103{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources\DemoDLL2021-08-24 09:23:27.102 11241100x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.102{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection_Resources2021-08-24 09:23:27.102 11241100x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.100{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-ReflectivePEInjection.ps12021-08-24 09:23:27.099 11241100x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.099{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\Invoke-DllInjection.ps12021-08-24 09:23:27.098 11241100x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.097{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\CodeExecution.psm12021-08-24 09:23:27.097 11241100x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.097{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution\CodeExecution.psd12021-08-24 09:23:27.097 11241100x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.096{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\CodeExecution2021-08-24 09:23:27.096 11241100x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.095{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass\Usage.md2021-08-24 09:23:27.095 11241100x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.094{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass\Find-AVSignature.ps12021-08-24 09:23:27.094 11241100x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.093{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass\AntivirusBypass.psm12021-08-24 09:23:27.093 11241100x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.093{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass\AntivirusBypass.psd12021-08-24 09:23:27.092 11241100x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.092{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\AntivirusBypass2021-08-24 09:23:27.092 11241100x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.092{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master\.gitignore2021-08-24 09:23:27.091 11241100x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.localDownloads2021-08-24 09:23:27.091{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\PowerSploit-master2021-08-24 09:23:27.090 10341000x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.014{80A11F3A-9FFD-6124-1600-00000000F001}12961924C:\Windows\system32\svchost.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:27.014{80A11F3A-9FFD-6124-1600-00000000F001}12961344C:\Windows\system32\svchost.exe{80A11F3A-BA8E-6124-3109-00000000F001}4440C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026152Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:28.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04220726B5FCD74A942F7A9C86F647F8,SHA256=862081511B4521E2877B2946523143E7D5B5FD894094EC6AA5B101895B921EF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046684Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.968{80A11F3A-BA90-6124-3409-00000000F001}48041576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046683Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.791{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA90-6124-3409-00000000F001}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046682Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046681Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046680Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA90-6124-3409-00000000F001}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046679Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046678Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.788{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046677Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.787{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA90-6124-3409-00000000F001}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046676Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.787{80A11F3A-BA90-6124-3409-00000000F001}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046675Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.704{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A1295C5740B5AE4BE7131224E79C38,SHA256=EC1C28031EFA649DBC5141B10F04F75090068CF1303F277BE86AB021B0ADDB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046674Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.698{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BED6586EBB7E26F54837E6A4B00060,SHA256=63C0EC309D222D3425C573A56E0C9F4492B31D34B5CDB456C69337533172C219,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046673Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.305{80A11F3A-BA90-6124-3309-00000000F001}45085976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046672Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.125{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA90-6124-3309-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046671Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.123{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046670Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.122{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046669Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.122{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046668Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.122{80A11F3A-9FFC-6124-0C00-00000000F001}8526956C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046667Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.122{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA90-6124-3309-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046666Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.121{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA90-6124-3309-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046665Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.121{80A11F3A-BA90-6124-3309-00000000F001}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046664Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:28.090{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=068E86E6F388D502F0D01C074A678F76,SHA256=87F88412F3C4819B92551E75D4131953E1BD217E7B8A4F042C8ED5EE788A3176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026154Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:29.674{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F978841ADAC68A26DD05775B8E1ED3,SHA256=5DE06A7107E94EFCAB95A70921A62C8612282694B61223F525B706008ED2B6AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046713Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.849{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA91-6124-3609-00000000F001}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046712Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046711Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046710Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046709Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046708Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.847{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA91-6124-3609-00000000F001}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046707Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.846{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA91-6124-3609-00000000F001}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046706Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.846{80A11F3A-BA91-6124-3609-00000000F001}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046705Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.844{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C037BE060F3BC93C4982FDD5CFFB1C8,SHA256=F50D80881C346FF4DFF179F81442F08E17A3F750F2FBD0047940B5B376022CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026153Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:29.348{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-102MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046704Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.516{80A11F3A-BA91-6124-3509-00000000F001}17081160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046703Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.330{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BA91-6124-3509-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046702Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046701Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046700Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046699Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.327{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046698Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.327{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BA91-6124-3509-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046697Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.327{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BA91-6124-3509-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046696Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.327{80A11F3A-BA91-6124-3509-00000000F001}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046695Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:29.130{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8645C49D85079AC872050955ACC6E98,SHA256=B26505F037DD745B8D7A3E40C4B1E36F2160EE167326B479B7E0A14A12829115,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046694Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046693Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067e087) 13241300x800000000000000046692Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c1-0x50c2b7b5) 13241300x800000000000000046691Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0xb2871fb5) 13241300x800000000000000046690Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0x144b87b5) 13241300x800000000000000046689Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046688Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067e087) 13241300x800000000000000046687Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c1-0x50c2b7b5) 13241300x800000000000000046686Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0xb2871fb5) 13241300x800000000000000046685Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:23:29.038{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0x144b87b5) 23542300x800000000000000026156Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:30.689{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795804D2755F57C80B70DEDFDDDAC0C6,SHA256=99D0F0A864B49B595674D8928E91CD7218172AA256B039F271C2687262EBCB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046716Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:30.869{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27591593EE171778ECD5E3BE77F06A2C,SHA256=23E295C33F7DBC168AE2B2518E3F80B74059171A5E567F32B4DCC4E853E9CB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026155Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:30.347{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046715Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:26.989{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52277-false10.0.1.12-8000- 23542300x800000000000000046714Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:30.331{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D666D3D0DE2937CF09FB65E7E9033187,SHA256=C95E154CF9011F9D09ABEBF25023E02A9E6C7D6F32CEE7FD0A7C742B47C681FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026157Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:31.691{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC234745D7F84301FEF47DE0742C92E,SHA256=9704C2AE1A77B64DA8F243CFE88364D6128C5A1E4B2A4FDC9F2747F0742588C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046717Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.899{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5462815768CC15DCC8A0B387EC891E5,SHA256=BD2A262BDCFF22A3B9B135DA46DEAF056AF82BF5853D7030845A60BEE7CBEAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026159Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:32.769{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026158Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:32.753{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7054F8B16EFDFB8C0B72773D18A2A7,SHA256=65BF651CEABF1C09B63D61FA8ACB26296A7EED780912EBF762EA0A28223D9D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046718Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:32.916{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113A744B4D9FE4756713A4FFEF2FBBBF,SHA256=AF49C4661DC2CD0DE474652EF6E836C3376B13AC85145A3C8CCDC06331556F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026161Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:33.910{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69ABE86F04E8582FECBBC586C77170D0,SHA256=028E2B084C73E0C873D69A28F594F54D07CD34AB1C02590DE358D7A7278A89A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046720Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:33.935{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA7A0B7413EBB4B8B7C3CBDBD6C28B0,SHA256=AD21B9F2B4F6F66BEC355C723FD3A2AE7D4212581C00071EF336AA9ACDA758A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026160Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:30.821{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000046719Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:33.619{80A11F3A-9FFB-6124-0B00-00000000F001}6323560C:\Windows\system32\lsass.exe{80A11F3A-9FF8-6124-0100-00000000F001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000046724Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:34.950{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B81E6D5ED71365ABF987AC83508A592,SHA256=C883BF7C6002B79DC5FE819CAAEC744B20372FCD3289755A3D37E13F2718B262,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026162Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:32.365{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000046723Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.420{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52278-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000046722Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.420{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52278-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000046721Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:34.519{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD1D7A1EEAA6F7725D70922CCF1BFE1,SHA256=FB2ED659FDF8430EF83E1334F1CCD5B78932EDE45A9E06AB26FCC9EEAC456F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026163Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:35.144{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4448FEBBD035FEFD13B33E7CE6C384,SHA256=1AC994B77093240AB62AB772819742D1B7BC13CBAC2FB451D11623CC860995BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046767Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:32.032{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52281-false10.0.1.12-8000- 354300x800000000000000046766Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.536{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52280-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000046765Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.536{80A11F3A-9FF8-6124-0100-00000000F001}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52280-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local445microsoft-ds 354300x800000000000000046764Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.429{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local52279-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000046763Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:31.428{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52279-false10.0.1.14win-dc-391.attackrange.local389ldap 10341000x800000000000000046762Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046761Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046760Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046759Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046758Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046757Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046756Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046755Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046754Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046753Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046752Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046751Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046750Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046749Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046748Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046747Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046746Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046745Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046744Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046743Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046742Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046741Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046740Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046739Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046738Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046737Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046736Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046735Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046734Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046733Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046732Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046731Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046730Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046729Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046728Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046727Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046726Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046725Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.365{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026164Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:36.175{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDED73294D71F7C0B6CD16ECBB63BFF,SHA256=2371F27250D89479505C02CAC736F2B24EF941C091B6CD3BB44C779B549E5FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046768Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:36.095{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1710632F4FCE80B62036335637666DEF,SHA256=16F2F942AF2AACFF2D0EEED3C707675496ACB04CE171BF88502D1FF141175828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026165Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:37.410{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832E6D04461E590C9351F889E0181C3F,SHA256=FBFC0154B6CFE095F48588A4A074CAFB94A91C7CE354C1C1AACF1AFEBD2D08F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046783Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046782Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046781Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41606228C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046780Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046779Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046778Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046777Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.678{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046776Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046775Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046774Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046773Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046772Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-A44A-6124-B604-00000000F001}27884132C:\Windows\system32\csrss.exe{80A11F3A-BA99-6124-3709-00000000F001}6332C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046771Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.516{80A11F3A-A44E-6124-D004-00000000F001}41606380C:\Windows\Explorer.EXE{80A11F3A-BA99-6124-3709-00000000F001}6332C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+17c30c|C:\Windows\System32\SHELL32.dll+19ead8|C:\Windows\System32\SHELL32.dll+2846d3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c5b0|C:\Windows\System32\SHELL32.dll+179a2e|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000046770Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.462{80A11F3A-BA99-6124-3709-00000000F001}6332C:\Program Files\Notepad++\notepad++.exe8.13Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Administrator\Downloads\PowerSploit-master\Recon\PowerView.ps1"C:\Windows\system32\ATTACKRANGE\Administrator{80A11F3A-A44C-6124-23D7-2F0000000000}0x2fd7232HighMD5=0D634FDABB6046E5106293972FCBC968,SHA256=40BC229F0708E3608FDF9788E0DD7AC02DFB750D257F7F99CB95A1B3C6FCE9E9,IMPHASH=5962B5A92CD4E6C7B3EAFA149B008211{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000046769Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.112{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43832DAD8F9F1395E104BECE6A29DF78,SHA256=DF710DED0F0F911C52708E22D83613BF391833F7C9981C789F81E9A60A1517AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026167Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:38.425{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA6F20A9EB0A1BF545D858A16A1077F,SHA256=DEF62112B881306E2E12941D5C0F0C80F41F945876F6ED94FA057C6837F597E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046788Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.463{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09F6D627D949A1F2D11E09352E7503D0,SHA256=8DD1E7002E752163757898FDFA912388E2DC64624A9B1F7959636959089CCBD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046787Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.294{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-0F00-00000000F001}316C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046786Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.294{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046785Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.294{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1000-00000000F001}440C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046784Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:38.132{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473FF7D26B4612D800CA34E59A7744F5,SHA256=977E0C7369777B90A4062A5F3F628D2E43027AAF8552AD212AB2F12B1601F972,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026166Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:36.740{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026168Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:39.660{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF33B6B5B6629332121DCF9BE194EEA,SHA256=8B3B59F39848BE72406A94FC6DAFFDDFEF8FF547A64D9651C78A5677580212AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046791Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.598{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52282-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000046790Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:35.598{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52282-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000046789Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:39.147{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FFB0C92C553E5065C7E2128FDDA81D,SHA256=A2DBF556AB1DDD5D7089806AD413B6D9F33E0C6B22DD3E68E2B10F8FC2631C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026169Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:40.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEC60C49AB61571F1237A95860B63F1,SHA256=FDF60CA60A8FAC8C5DEE02FD8046B420031B96D9CFC943CFD81DC158A59E2066,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046793Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:37.050{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52283-false10.0.1.12-8000- 23542300x800000000000000046792Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:40.147{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDB14E802F7526881E29980F6778882,SHA256=98A484E26AF4C656637D993810B36A71CE02B4D341572846980C7B1725CE6B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026170Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:41.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BD75B344A269AEB5D64381246206A1,SHA256=97149DC204BB00AAE1C370530F798AC8F0AF8E7A2186BEACD488A74FCD4D7DFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046797Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:41.220{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000046796Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:41.220{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046795Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:41.220{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF681013.TMPMD5=F3B490DAC4F6242A92DAE36D8B06AA0A,SHA256=AD4FE838909BB32367C28FCFAAD2E22EC59B55E1C3096D867F0192771CDE6048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046794Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:41.151{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEB6FB1D4B21AE01A8EAA0AB57C1788,SHA256=FB6D5582C96BF22419A211E05405FA77755D5D060DE6E4DE20A66A48C87456E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026171Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:42.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5D146104A94E7CBB74F8D6DAC4C7B3,SHA256=3345235BB9364B9D75E075EFC788B6DB4F8267285608CFBDD517BCEF90313D63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046799Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:42.198{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046798Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:42.167{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43268C56DF5FCFEABA2E6CBC5BB6A36,SHA256=79B24842C2901B3C47F3D3926FDC421EB66A6E566AB9D1CF15566647207E3A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026173Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:43.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0293BD195CE68ECB5FF59DAA2E67BEC,SHA256=6960B74BBC5E2861479FEED9227CEBD9EE18A4F8DECB6750486B6BA8E21C939F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046802Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:43.513{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A44D-6124-C304-00000000F001}4848C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046801Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:43.513{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-9FFC-6124-0C00-00000000F001}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046800Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:43.182{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9708F41C655B74F41DA694B6B7E5AC77,SHA256=4A6EE54B1992F96D5138C399241DB0BE99379D5A39FFA6504D304DE251184727,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026172Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:41.756{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026174Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:44.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4172AE38C43C8A618BA9BB9718FE0E,SHA256=6CB18249EDDEA542531376196EDC79E72D3C3102188AF4A4718F878E0AF9954A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046803Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:44.196{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44D62146AA1B15EE3FED2FA6CD52CD4,SHA256=AB60BB687AFE072ACF514F42C367ED45C52109E26A65A62EA5E1B3F761CC0836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026175Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:45.706{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608B8630F2CA731812E6DCB83BFB5945,SHA256=6E7C408ED485000966325A81ED7A7FDFD1061739D9DA9C154211503954738259,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046807Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:42.153{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52284-false10.0.1.12-8000- 23542300x800000000000000046806Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:45.364{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F098465E378D19A3D3EE3235A7C9B748,SHA256=9A9C902E48E018984C63597507EB23F95215ECA10C71FD475F0755390F971277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046805Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:45.364{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FC2FCDC597769B2EA98926A11F235E0,SHA256=5BA02BED5EE542E9454166DCFB1AEA12E536E4CC106C199B7793984622F93101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046804Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:45.213{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A440D32E6B0724B35A2C79C7E427496D,SHA256=22B669D34EB906B4807AD04818CB0FE804C72583F3A795D1CCDEBCD12C1CE778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026176Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:46.707{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878A5C0847F174CE3C246692F579338D,SHA256=D73087AF79E7F173220BD9026CD36ACD3B9D8FB5026783F5A8DCE377BDE33908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046808Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:46.231{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43F0F5AF25CD60FB23BA188FD83E387,SHA256=7FCB864286CF17A9D951872F3FD1F1C0718957C4878082D4A41DF9CAA825B073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026177Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:47.722{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF99FD3AAF8A0F5135C7C7E6AF7BE82,SHA256=70B7EE6C7704F804E7C30EE01F9CE4120832430C3A7DFA7E694D90DFAC57176E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046809Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:47.246{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CEC3923BC066762CE95AD8707B1581,SHA256=56315BE565B196C7EDDAA6FBBD9AFFCF62199368E37A5B652E46F2B5C10288B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026178Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:48.722{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7EEA649475976BC7746635A4988144,SHA256=923DD2423E865BDF0541D0C09E96AC28E5CFD8684029EF972113A95C518B2036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046810Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:48.261{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEB07B951CED8A89B954E627B7694F6,SHA256=E1FAB223E5C87E25911A1EFB3C818BA0B3DC65030E345C2814EB0F124661652C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026180Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:49.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E631D270B815F4F3772C8D369C4C96F9,SHA256=9F55A1FD52CA74AF65DCFBFEC0E39759DEE077892781F619FE0232C5E7991388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046811Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:49.291{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6495C709E4A629F01D12EED432AD00DA,SHA256=B1654FD2C0FE11706B3A62EB3B2CC844ADEF5C0A788F5B23BCEC88B2FFA0AC8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026179Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:47.787{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026182Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:50.804{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E5121183CBEA381EB82C73A59C1D3363,SHA256=6615123E9BA4C6E5B72A5216EA156DCC41099C32204B0EE5A2C48A722C449133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026181Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:50.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF39768EEA6F3C1832BB3B80F904C939,SHA256=63302BAB3199A0D97F75B41F3641F49D247D93BFBCE61C37E9D4776986CF454E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046812Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:50.328{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E83C3EAF7BC713148E9D1E5FC84F4BD,SHA256=7B4C48CA9F2657FC8118879C7045AC368F5D67D6DC49DD2C1BF6A253B0591760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026183Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:51.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED72A5521D5D02168E3F7C280208ABB9,SHA256=2A1815B04A57C5CBE30FE16FF83E19112A51395AA934ACDD4D69A728DC6A7EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046814Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:51.343{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B6C94F85E78AF31CD77F09AAC93412,SHA256=7A2CAB1F2975F53FFBC53FCEB281AA1EF9B188D5E9306AE82BEFADA406757D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046813Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:51.111{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026184Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:52.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E2399728B6D2A839772CEE8B2E53A8,SHA256=2E721F05D420223F06CB012A9AFE1FD707AA53C4D7991B24E74599F94C68D177,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046824Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:49.010{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52286-false10.0.1.12-8089- 354300x800000000000000046823Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:48.079{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52285-false10.0.1.12-8000- 10341000x800000000000000046822Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.443{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046821Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.443{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046820Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.443{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046819Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.427{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046818Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.427{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046817Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.427{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046816Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.427{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046815Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:52.358{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762959E57B406EAAA844B1A7C6ABD96E,SHA256=ADED97BB21119AA21630545EDB4FC90FB8E4AAF94D87252096FC8929513DBDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026185Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:53.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A0C6DB210F323CD2965AEC6A23E709,SHA256=A00E81DC8DD5EB71552F17C609231C8C221489FFE34C9D57919E6E51C1A37570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046828Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.373{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1635D94959D36CEF5E4506E1801B4143,SHA256=6F2A3CD89F4A81ABDC04CE32E2EB890E987D73FFAEC43069A58A30DCD43DE344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046827Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.142{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046826Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.142{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046825Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.142{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026187Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:54.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0F37FCEE1655F6922F736FC6390358,SHA256=1FFD495F5A07AF48F98C81FEB048F17666194AD7CBE84D94FA05E624722136C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046829Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:54.389{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D9CAA5B25533121EF88C60F777A630,SHA256=B7653CACA5C484D06ACCA867B8F53CD9880ABAD69F8849E893855F5B5FFBE224,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026186Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:52.823{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026188Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:55.961{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F067381632B094DF63B2B6BE457CCE4B,SHA256=7AFE10C70AC01849EE76AA9B4EFD415DD852F55EAD450DE39924FF0A4BD364B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046830Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:55.392{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A915DA724F45E5660E05283463021B62,SHA256=E3B17757E191B90857BE63D242B410824A242E4102A45B208F9BF4A6ECEF62CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046831Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:56.410{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351FD53ABE1D4497BA77E30189A90D29,SHA256=4D37EAC30A5E18C5CC894A1ECD0568B28246419411B39FA1DBEC54A9524AD11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026189Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:57.148{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF843FED94F3975E1207983EAF7871D,SHA256=0246DC7DC846C743E05E10510DBE6DF0C8BECE82F414780A6BDE3D3B920567D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046833Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:57.429{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DD87B73021C904CB8F5B1FEA64A0EE,SHA256=62C68A24FE6256F0F37FA543EA263EA1E53763BD79013B80E7BA7A20E37FE00D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046832Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:53.149{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52287-false10.0.1.12-8000- 23542300x800000000000000026190Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:58.367{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8495688026B421070EA94378B8F922,SHA256=FBBCA5D11364E82C97FAEBBA6A2563386E7803D62010174F8F125D6753CD9488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046837Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.445{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A954F9101B9C736AD092CA0E4B2BE94C,SHA256=6FEB905784023BE1B58C3B960C583B608E9EFA7E787FE02AFC4AE2B774A292E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046836Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.260{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046835Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.260{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046834Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.260{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026191Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:59.601{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952DCAD4D9A09CA946B040E32496C69F,SHA256=2AC7F9058036D5CBEB581DD2E3440AE96BC3782FAFA4412D969FB3AF795D0534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046838Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:59.460{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45149EF4A6324AFE717FD38BD01415BD,SHA256=A0872530DE601B97C0C6928862AFAFF72EB229A40765466B00E362868A72760C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026193Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:00.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD31BFB3E0BD2FC30C58DE90DC2F30,SHA256=0637880AA349CC7340E72228CBFF62404CC4330CBF488FD5D62A140E30BD8FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046839Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:00.491{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485A8089486264F0E88D59A3FB34DAA3,SHA256=2C59AEC861B23DD510D04A3A452EA2ADBE365CC57B11CCED8795703DE9C97963,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026192Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:23:58.667{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026194Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:01.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D71B089918A852BEE201D0C2B8345A,SHA256=A0666D74BAE8FC3580AAA41ABF12E31C88E1C112A45F76083E9ADA0ADDDF9918,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046847Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046846Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046845Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046844Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046843Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046842Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046841Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.666{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046840Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:01.498{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECD9F7581B333513797B67BCEE0F007,SHA256=D0DD761E656076DB6D11CB2CF17CDFF613CFF2ABC3CFEF29E1B516A92A7AF6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026195Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:02.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6A2B0DD856530B78C24735A456FECA,SHA256=AF05A3AF43622EE26D39C79E5BD727EF1DE288D04F114C8D99EAF1A80E4FC512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046848Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:02.535{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39FD48A96A6A94D05D792729AFC1779,SHA256=812B43E46E4371EF68B1BB65486D229757BAF4A8380F193B11BEFC2DF9179906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026196Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:03.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520506AD590AF7ABB94A2DED53EFFDBD,SHA256=E4FA0A9E80F7A7DC734B48E95475A255F4E388FFB72E91A4953C82B4DCA0B441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046850Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:03.535{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509CE999F44D5B8585BC043B0A7BA7E6,SHA256=D50CEEBFA1CD6ABE1237F43CBEE7181572BF46D3C79ACBAF1F7F1627BA263ED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046849Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:23:58.972{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52288-false10.0.1.12-8000- 23542300x800000000000000026197Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:04.726{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A693E5E6CC8663D6B605D6A2310A183,SHA256=7ED9C04D65206038A8B88CFB9327A606DF187EF33FCF63833C15002E2D9C1AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046851Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:04.550{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E5CAA9AE020E866F196CB0F6EE5972,SHA256=291F847FFB24D888E84D913305F23E2ED201E572AAB9DD46E7133D4AE8A578D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026199Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:03.792{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026198Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:05.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0D45FD26528A92DFE2B5EECEEBABEC,SHA256=68FFB0BE774031FB109F9BE4D5E82E429CC2E03CE0B21441F31BDE0C636CA026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046852Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:05.550{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90395AF5965E68AE0A2E69C2CE486C4A,SHA256=AC340D6EACF12F9B384A2FB43F1F00603AF9BD375DB2A2518FA9C008D8A422DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026200Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:06.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62687C7ED2D5CA93C231B95A7CE77F83,SHA256=BBC081A177E7326AC6FA6175FD1165BA85DD85F091E79A827850972986F0107C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046853Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:06.565{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F26AFE55239E1D41689DE554918B0B0,SHA256=24DE214FD52C366C5FA1E8D32637D16D2F0F17E0DFAEF7ACF8184EBC67D236AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026214Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAB7-6124-A106-00000000F101}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026213Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026212Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026211Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026210Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026209Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026208Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026207Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026206Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026205Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026204Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BAB7-6124-A106-00000000F101}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026203Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.851{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAB7-6124-A106-00000000F101}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026202Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.852{D371C250-BAB7-6124-A106-00000000F101}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026201Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:07.742{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D092A1F10EEB1CBE10A22546DECA10,SHA256=F9F3D2634D5CAD2CE48BAE68352A2ED3B26225FAA1BB4D564367F4AE24ADDC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046854Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:07.580{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FA3633DA3BDEAA428CA4E4E6F2E450,SHA256=C74E11AF71BEF072754781DC3C85BC2456A35949AE07B4002A3EB9C2D33E6CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046857Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:08.595{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0F985F86C28188BDB421E42F8F4B5,SHA256=4B2AA0975CCF302BA07FDA61805CFED6DCC58CE0CD7088DD788BDFA6F6DCD9CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026227Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAB8-6124-A206-00000000F101}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026226Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026225Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026224Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026223Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026222Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026221Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026220Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026219Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026218Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026217Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BAB8-6124-A206-00000000F101}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026216Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.351{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAB8-6124-A206-00000000F101}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026215Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:08.352{D371C250-BAB8-6124-A206-00000000F101}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046856Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:08.432{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-A5C6-6124-9906-00000000F001}2484C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000046855Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:08.332{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FCAE3CBAA65EE89D363ACC5E7D2C06CA,SHA256=CD24C4F4B673DD9B29388BCC0DDE72D59BF10DB5DBB7C44DA3B521E1D43A6FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046859Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:09.613{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CE0360F980F17E5644BB5771531CCF,SHA256=6B93FB403EC290A3D23D2D7FB475C405FE0EE54791876D9D54E58257B1C06FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026244Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.211{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8926F10072BB02E524719255458C3E24,SHA256=D29F76372CAE693E4B1C52E06D0E79688A781D6CF89DB10E53FECB2D59C8BDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026243Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.211{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C1F648D988651FDF90484D9943DBB2E,SHA256=653A75A4E448AC32A8ACC77154D2F50D7CFB6EB51869ADE166EA66E63326D149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026242Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.211{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282DD81ABED4C5A883287B8AA48393AF,SHA256=5594693AA1173A0499C5439406C1AFD9248CECD674AD126A4B6DB22D67915BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026241Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.179{D371C250-BAB9-6124-A306-00000000F101}1908716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026240Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAB9-6124-A306-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026239Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026238Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026237Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026236Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026235Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026234Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026233Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026232Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026231Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026230Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BAB9-6124-A306-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026229Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.023{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAB9-6124-A306-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026228Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.024{D371C250-BAB9-6124-A306-00000000F101}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000046858Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:05.017{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52289-false10.0.1.12-8000- 23542300x800000000000000046860Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:10.631{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC843B53745F566585115E9BE36E87E0,SHA256=054D30A528BA70DC81DA358D8819BDBE268767DA968D377F0A3E33F9F2D40CA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026260Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.200{D371C250-BABA-6124-A406-00000000F101}6841080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026259Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.059{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8926F10072BB02E524719255458C3E24,SHA256=D29F76372CAE693E4B1C52E06D0E79688A781D6CF89DB10E53FECB2D59C8BDBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026258Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BABA-6124-A406-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026257Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026256Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026255Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026254Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026253Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026252Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026251Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026250Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026249Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026248Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BABA-6124-A406-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026247Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BABA-6124-A406-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026246Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.044{D371C250-BABA-6124-A406-00000000F101}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026245Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:10.028{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D8A8FB75123A211EFE5546F80FD279,SHA256=3D7A5F7A902A61072DA216101EFBA88A0EAACA3544101833F355287C5BE3CC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046861Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:11.646{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B15402AD3029DB79D34512E7B83D8F3,SHA256=711BD93AC00DB54498415F5F575B3C98C85117CBFEA3A4925D40816CE28E7DD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026290Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.965{D371C250-BABB-6124-A606-00000000F101}19241652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026289Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BABB-6124-A606-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026288Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026287Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026286Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026285Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026284Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026283Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026282Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026281Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026280Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026279Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BABB-6124-A606-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026278Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.840{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BABB-6124-A606-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026277Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.841{D371C250-BABB-6124-A606-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000026276Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:09.797{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026275Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.497{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CAB7C61EC7D410BE9D62C3A897CF14,SHA256=C1FF4A120E28170603F46C65B62E975EA259EC6D963CF6DBCA3768E6FD3B6E3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026274Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.325{D371C250-BABB-6124-A506-00000000F101}4064300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026273Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BABB-6124-A506-00000000F101}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026272Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026271Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026270Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026269Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026268Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026267Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026266Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026265Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026264Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026263Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BABB-6124-A506-00000000F101}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026262Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.169{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BABB-6124-A506-00000000F101}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026261Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:11.170{D371C250-BABB-6124-A506-00000000F101}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026305Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BABC-6124-A706-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026304Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026303Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026302Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026301Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026300Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026299Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026298Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026297Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026296Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026295Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BABC-6124-A706-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026294Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.512{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BABC-6124-A706-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026293Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.513{D371C250-BABC-6124-A706-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026292Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.356{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A51C3919367CE1A1640663E33F033CBC,SHA256=F9BAAD3306BA0C088A0B63710689F8ACA3D9E0E43E87069E2D50D011E5DC163E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026291Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:12.325{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58187B206D65236D2F3F482E398EAB5F,SHA256=7957AA1EF0F624A9FE3B75EF89588A3B0EC9C43716B87DC8F5A0EA112777F240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046862Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:12.661{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15ED1D2D09291CB1569A7B288B4AE18,SHA256=C98CB4E04580B4252AA2C1EFC2B89DEB36181E323148370D710DD9F51EE79893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026307Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:13.653{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3375CA12D70540A338ACD1270A52AFC,SHA256=F08AC72100F8EF2A7F24272BE958F5685C1A3AD166BF53491AD659F71B7F4705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026306Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:13.559{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B5458645DC4AD3AC2E5B4235122B1E,SHA256=A9F75717BDA0CED95F9154706E6248810180105703B4D50456EF66D9ABACEAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046863Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:13.662{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AF02F0DA3F742D09DF00D2FDD8434B,SHA256=B1C8A6F831EB0F3BFC4D824B09B2C47210796AF665F458CFE5950C41218C03B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026308Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:14.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1989252583601D85801684F4FFFA91A5,SHA256=6A5553F7579E6227933AF097E444472AFECD4CC480F1BE8EE47BFDB8261C6F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046866Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:14.666{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-110MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046865Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:14.665{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D66E49F10463E865A0F15CB5F930636,SHA256=4B014288CEB6D8BCA1D544E1832D87F7BC97BB51A9A7E0C5A4C600D78DBC7C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046864Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:11.050{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52290-false10.0.1.12-8000- 23542300x800000000000000026309Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:15.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDDDDB47E540997998CACEC866907BC,SHA256=D974E5DA7BD6906D1004EE04D54D04E44E5BAA8592DC2B2265CBA5E0BBC70F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046868Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:15.692{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A9071C705F83840B8FE4C72E5FA9B3,SHA256=8B20F6F29C079B59D8B700AA6BF91FAD808AB0616B50B2368339227985706173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046867Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:15.676{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026310Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:16.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8A650D62D6DDC216827C26003776B7,SHA256=74A2AD79602FEDA19D47DBACD13124E8EA76D3C1C48E63444DA0A931822C35CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046883Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.935{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=8611C7DCC73335D5F35E6DBE4A92F1EA,SHA256=BE69212FB89CFF7A0F421A64EECC26DA8E6A34DE8870F7C93C68641430C30875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046882Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.919{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046881Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.916{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EB06D43CDA7D056738875F2F1D6A8A2F,SHA256=3F2B6F3F6284575567861DCC5C9728F1FE21F0ED7907E84DFAC031DEB21714F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046880Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.835{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046879Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.704{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757A02D6E551EBECDE549778770F10B3,SHA256=E2732E4FFA0143E6578BD05D381AE6DA632FD54A6D7FE7E99A0450C04533607D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046878Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:12.944{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-391.attackrange.local52291-false142.250.185.74fra16s48-in-f10.1e100.net443https 354300x800000000000000046877Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:12.943{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63156- 354300x800000000000000046876Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:12.940{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63805- 10341000x800000000000000046875Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.437{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046874Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.437{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046873Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.437{80A11F3A-A44E-6124-D004-00000000F001}41603992C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1609-00000000F001}4404C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046872Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.431{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046871Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.430{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046870Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.430{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046869Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.430{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-B9A5-6124-1709-00000000F001}7004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026311Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:17.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95DB8BEAA32B337AFDA5F495BAC7FE8,SHA256=F92667CB779DC004BF9D2A49531D68BF2FC2E85C50D62B0B22DF88E89B4AB655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046933Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.781{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046932Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.750{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9135DF3E27F86FC30CF6B00BC6242D6D,SHA256=F476E0C07A6F0A762BB5DF6EC7FD3A8A76215BB8D4995D0149E78D33BB440A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046931Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.266{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=510DBE6F67223DC5455E6E4154A5ABA1,SHA256=EAE14BE97AEE2D07A23A3873E18A3B36C7B418FB5F7C246D3C545A3DE694CE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046930Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=74B40F273A6747E9CE65CCBF8271C07D,SHA256=FB4D70D21CBA8D7CB9007D65FA14CD3C9B1174E1C021EEF0E6AADF9ECDBF137C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046929Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=2B389398AA165211D3266E5FCE7C4A1B,SHA256=D03AED95539ACF458EB2DCFAE019EE36FE15032E585CCE3E27AE6F9C2CE81CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046928Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=770D1830F8D6205E2C4F4803B793ED47,SHA256=F60ADE0662A50F1FD8DB63072A7334A25B65F787BCB5919D48F5553815DD786A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046927Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=A22E116730EDC7AF2CCA43F01ED2287B,SHA256=8ABFC97A9A054898114283D995C9CE64B117E7F0341E41A59684A307F14DA4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046926Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=3618696D4E539F97562A79C98543C1CD,SHA256=6A36AC5E5DD100E661DA8D21E24D4EE9A7F8CBD790B582751AC58AE747372192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046925Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=431A9D7F2CDFEAC0470A064901787C16,SHA256=2A5C6A47A86FD3D1FC267C287D10236BA97349083E7DFA67022AA99FF126BA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046924Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=D4EC42A09329AF85B3C9A1C00EA2B908,SHA256=A3F3F2349DE8CA75AD8A464731DC17802A0DDD34BB1E3D4FAE83A674DB613CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046923Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.251{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046922Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=1904311EF938B38EA7286C04E0773792,SHA256=DF82CCF876F410906794D4550BA321E1D0C8A8B4D046F7EC9410F4468ED90820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046921Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046920Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046919Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=6F90EE486376D8D22944680ED981EB80,SHA256=321B50CBC800A672FB772996AD18BCA58CD971CB9BAA5E6F27276E03F2A6096F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046918Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=713A3C671D0E280B658BC33DDC56E1CD,SHA256=CB26025327E8A58B72ECBE701CBA7EF8832E51D2B3D7BBDD4D8441C0D4DE52B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046917Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.235{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=940D49C2027032F10D191E88B950C7E9,SHA256=662DBE996E0AA0682231C7A02C5A60A499BD3EB09BF23DDFBD122F9110CF38C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046916Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EB06D43CDA7D056738875F2F1D6A8A2F,SHA256=3F2B6F3F6284575567861DCC5C9728F1FE21F0ED7907E84DFAC031DEB21714F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046915Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=39A3589F1553EE3991626D7454F6997B,SHA256=DE68F288FF96C7E6A4CCBBB512EE67A799DE1355E5818EF9453079271299FFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046914Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=8611C7DCC73335D5F35E6DBE4A92F1EA,SHA256=BE69212FB89CFF7A0F421A64EECC26DA8E6A34DE8870F7C93C68641430C30875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046913Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046912Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=34C9FC8C4EE2F9EF3E5ADB863BCAEFEF,SHA256=A2C2674C2C8C82D7AEEB14CA206B4D3FA50BAD43FB641F914A259B1F8A81D782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046911Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.135{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=E8DB97E59B48EEDC75D871F57B7F2414,SHA256=E51F34F4335BD9546678DCE6622EEF52097D9719A710178D111B83312DF11F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046910Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.119{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=29713F87D69535E52AEC43161F0DCA6C,SHA256=80DD05D04AD181097B98DDAF70F21A9F8527666FE5B759A2563D19895C2E360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046909Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.119{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046908Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5F83B0D6BA161602017AC27A96F3705B,SHA256=DB679CA27EE3FD9899E5DEF0384A3722FD19F4A23D8F35CDE1F3482E9642886E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046907Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046906Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046905Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046904Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046903Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046902Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046901Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=D3C79EEBD1FBF04B25D7E0D89796A366,SHA256=77CBCDF1F4FBF279888EF690AB6537A37271904F49F10A6B547B50CFB0A04A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046900Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.098{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1122B8CAA1EE6AFCC8D9C705810B59DA,SHA256=389FB0D336133EEE3F98D97A725786A1191EE0E2BE2AE16458198724EB16DAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046899Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046898Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046897Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046896Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046895Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0A118F84489D0336500BA7AA28EEC3DB,SHA256=80CDBD62FAC86A30E13F3CAA31D8DC1BBFA458FF093CA3113DCF17FA09204493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046894Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=7108E87CAD9A9187F04E0DB62EE11BA2,SHA256=D3E981266944DC3516502147A13554BB1F413120FFB119EF7191073704AEBDE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046893Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=12C155DD5E881352A0ACA1597315E4B4,SHA256=5EFE168A26228F9557DB8EEF6F128E6F2BC3CFCDBAAC5F1E54CA97980170DD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046892Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.082{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E03E73D5F6ECD4CD32C3DC29D718D0CD,SHA256=E0EECABA3B9EF2ED989A88F166FBD18E87DCAE59C51EC0C8615EB181CDBD6875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046891Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=9029D6F8F6B542F8CC8BED031A868332,SHA256=B779ED2DDA6A823FC2E108105D90A5012357F0082973C164F86D95AED6E16573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046890Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=98E577C148A61351966CCDC96A865C91,SHA256=2A6127C1960DFB83F8F6D0B6EF099120B1BD858E432B56E7CA14F34B6986D989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046889Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046888Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046887Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=3A16652F3D7E909EEFB688780FB23DFB,SHA256=77E575221C7FB694A4D9FD39B1563AF193D1A6AF22C18DCFC77BB992B19B2BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046886Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.066{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E4AD5A04A5C7E1E2D01F8AD2F766BB15,SHA256=59DBC09166E7BA59B5CB02DF109991B71AD70418BA45595A9536A4758A630226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046885Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.051{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=29713F87D69535E52AEC43161F0DCA6C,SHA256=80DD05D04AD181097B98DDAF70F21A9F8527666FE5B759A2563D19895C2E360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046884Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:17.051{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\03bm82ms.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046934Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:18.815{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D51085FCA4C0DD24C2149D593A071BA,SHA256=469608F682289FF02210B5619C64552CE299CC12001F15B85B93B49DF4CBA82C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026312Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:15.797{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046935Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:19.992{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E8022476633900B079BD54AD5AC165,SHA256=026B5A8E7B98E18F415411FE091FEC23FD3E610A5332F221025C8530B1B14295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026313Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:19.012{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B44B02B145A6454393F0FE8696DF807,SHA256=596825A34B0CA248B2B10785F0EE1ABA14BFC07DED84CE06B904FF6835F29926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026314Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:20.231{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B9DE3CD2764AF395A49ACDDF702F17,SHA256=11ACF5D59C7AD2ADD7588F5ACAA0C0E3CD9ED4D220290BD7555F96C44B998020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046938Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:20.611{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47054CFDEEB2DE6A99048B8D8D232DCC,SHA256=D84FDD359ABA532FAE961A54CDDF09326F0DB55D97D4E070DF56E07D00A5B2E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046937Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:16.087{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52292-false10.0.1.12-8000- 23542300x800000000000000046936Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:20.026{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E137452E2A8089D0A5639500C8C04D3,SHA256=22E00A66FF75BCC84A942B9F4758AD24A380735954933FB7012C889918B744EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026315Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:21.465{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4AEC5927D7B230D9C7B481855449E7,SHA256=E281473926EAD3A0A1E73B6A41B80CCEA1D7C943F8A46A2E71D0B2ED45F3FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046939Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:21.013{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4613B13D0B44FD0F5B17B4A813C403,SHA256=1E7A82FCC313D03908CCE2556CF92027DE0500106DEEA94B15F41D78598079B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026316Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:22.700{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E6FE9CD045A19F5B99604C76C35B4B,SHA256=D719105126980729714F7B3C4DFFE788772AE05BC7CFE274E80DF6AC5EB120E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046940Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:22.047{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCBD83EB13B97D4AEA6A6A6835EB7B7,SHA256=BED720A501D2DA8A12D54126DE0B421F49F513043C7BCBE9D949138A9AE3654E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026318Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:23.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC69274C49A858F837CDFE99819970A4,SHA256=FAB8E2EEE59FC34072FC73D7A295C3A8EB42092FB5213DA0909E262A32AF9BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046941Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:23.061{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E136F9F1BA40CC6AF4617B4B571660,SHA256=88EB315EE7F6A4469C8FA1785EB3280DA8A42E3CA3BC21B8BA389E0418B18ED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026317Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:21.687{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026319Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:24.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A63FDD6DC2413F44D63DB212D956F02,SHA256=16303F2429CBAA20F3C7B7E0493F4CF0BECB40424ECDB17EAE2F296ABC1D54AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046943Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:21.151{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52293-false10.0.1.12-8000- 23542300x800000000000000046942Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:24.076{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618AE0D7EA75A5983C41D01C7013BC1C,SHA256=C8AFB21EB4505B0CB3FBE17D49038A9836800DDC0A68CCBFE1735CF1858270E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026320Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:25.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DDD7AAB0BC53A6764CEB256F2C3299,SHA256=DC351DAA8D8D46EA88FD434BAD77162F57AEF07BA3B1D911D313376A0097E445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046952Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BAC9-6124-3809-00000000F001}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046951Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046950Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046949Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046948Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046947Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BAC9-6124-3809-00000000F001}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046946Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.759{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BAC9-6124-3809-00000000F001}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046945Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.760{80A11F3A-BAC9-6124-3809-00000000F001}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046944Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:25.091{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14320BF71204AD401831989BF249FC43,SHA256=C360826E8B9D261C94927B856CA70BCC85FCF267C29DB64AC06B033AEC965DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026321Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:26.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C290B7024A22B719A92363722602621C,SHA256=47348AFB4AA3057C5F649CE57E650916617790FEE26CFF048C00D45D77D72B22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046971Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.914{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACA-6124-3A09-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046970Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.912{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046969Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.912{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046968Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.912{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046967Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.912{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046966Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.911{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BACA-6124-3A09-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046965Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.911{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACA-6124-3A09-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046964Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.907{80A11F3A-BACA-6124-3A09-00000000F001}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046963Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.774{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28AB96CA9C75AFDB879BEA1F22EC283,SHA256=DF436E90339497D844C53569F875899F89AC6DDDE2D3D23BFB271C07A55A3CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046962Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.774{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F098465E378D19A3D3EE3235A7C9B748,SHA256=9A9C902E48E018984C63597507EB23F95215ECA10C71FD475F0755390F971277,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046961Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.290{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACA-6124-3909-00000000F001}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046960Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046959Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046958Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046957Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046956Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BACA-6124-3909-00000000F001}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046955Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.259{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACA-6124-3909-00000000F001}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046954Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.260{80A11F3A-BACA-6124-3909-00000000F001}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046953Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:26.159{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8195F2753585AF0E4EC18063205E7BD3,SHA256=5599E9A4188E94F4AF2B905CB35D9B022E59154267DFF6D1A7BB3358E68F1581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026322Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:27.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A761B20BD2DF7E7217EB4129FE7F3D7E,SHA256=8B867D928108B4A3BED12EA9D50B1A77A5535759B0A06A954EF4A7D10DDBA74F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046984Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACB-6124-3B09-00000000F001}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046983Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046982Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046981Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046980Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.996{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046979Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.995{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BACB-6124-3B09-00000000F001}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046978Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.995{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACB-6124-3B09-00000000F001}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046977Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.994{80A11F3A-BACB-6124-3B09-00000000F001}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046976Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.912{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28AB96CA9C75AFDB879BEA1F22EC283,SHA256=DF436E90339497D844C53569F875899F89AC6DDDE2D3D23BFB271C07A55A3CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046975Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.775{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A676D5E781205E27BC374E71F1D1606,SHA256=7AE8B3DBF039E23565BB6552C17AA8997B0787EE2A1719C363098E97967943E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046974Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.360{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DDA2EEE4E0779C2315E74422E8776D4,SHA256=333D79E54BA948091DC7EC4B890B9A43E19BC206D3E02E35887BC973D4046ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046973Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.195{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EFDE8790E26D9D562DD2381A559971,SHA256=9A1F62B0FD7F63E2772B4ED6E5BA07F5218F26C5032735138601845F099949D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046972Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.121{80A11F3A-BACA-6124-3A09-00000000F001}65282436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026323Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:28.778{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2B2523179AD000DCCAD4F95071194C,SHA256=3C481C68EF1AB880B95BD2659945A4D7EE5494DEB3EB65C9E934FBA7DF653C22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046995Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.877{80A11F3A-BACC-6124-3C09-00000000F001}68047092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046994Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACC-6124-3C09-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046993Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046992Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046991Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046990Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046989Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BACC-6124-3C09-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046988Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.661{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACC-6124-3C09-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046987Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.662{80A11F3A-BACC-6124-3C09-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046986Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.246{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AA8C08DFA064C3402979D511734E39,SHA256=692E963CD40EE18B82A55941B6B391C7976447ED7E0DE0BBC4162A5148A81151,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046985Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:28.194{80A11F3A-BACB-6124-3B09-00000000F001}38486292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026325Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:29.789{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FEF7A983477DD0CE77CBCFD330245F,SHA256=71C6DA769EBAB0FEFC6D4767CD32688AFD3B17675350DD19A76509585695F88C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047017Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACD-6124-3E09-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047016Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047015Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047014Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047013Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047012Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BACD-6124-3E09-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047011Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACD-6124-3E09-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047010Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.925{80A11F3A-BACD-6124-3E09-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047009Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.917{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA1EC309746F5692D927FDA41CE7DCBC,SHA256=2FEDDE17EEE08D2628A7482BB99BB6BE69D54556162FB93AC6FE5F2523DD54A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047008Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.797{80A11F3A-B9C0-6124-1809-00000000F001}1796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-391.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000047007Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.749{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000047006Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.498{80A11F3A-BACD-6124-3D09-00000000F001}68725864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047005Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.298{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BACD-6124-3D09-00000000F001}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047004Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.296{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047003Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.296{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047002Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047001Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047000Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.295{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BACD-6124-3D09-00000000F001}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000046999Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.295{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BACD-6124-3D09-00000000F001}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000046998Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.294{80A11F3A-BACD-6124-3D09-00000000F001}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046997Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.261{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A716ECB4B79559BCE352F3028BE8FDD8,SHA256=C06954E9B24E3CA9101855DDD03180154BB2CBEECE32E43368A92C57FB7E578A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026324Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:26.688{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000046996Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:29.014{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C353D164C56F5A73D6C6D28FFE3BF1F4,SHA256=0DB85AD8D9DB24930E4E85094EF05B6DAB3FC02D1A248CEF36435751F357C44E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047024Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.577{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52295-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000047023Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.577{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52295-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000047022Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.167{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52294-false10.0.1.12-8000- 23542300x800000000000000047021Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:30.579{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F2E167E5D77B229BE0DFDAC2F45572EE,SHA256=2768501775229235D85288FFB1A39F7FA8C6E162E76970E2B3F069B0CA122072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047020Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:30.317{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF67F6C87EE04447AC75A022ED53BBC,SHA256=85A330774B554698D4FB7DD2DF227060B976BBBEBB4D028F7E4116D73EB4B6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047019Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:30.264{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39385A1BBFD701B7D52BEDCC2F2D58DF,SHA256=0086BABEFCF74744CA342C0C61170479EA23DB80ACA75F3AFBB14BEAF1038288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026327Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:30.871{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-103MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026326Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:30.791{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F710D62D08A4FB8AB2D0ED75311AB0,SHA256=B625DDDFEE262A4074AB9DCBA8BAF2DACEFEBB261D78679B4B026E32B9CD8678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047018Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:30.064{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA917C44149B3ED78338536343BEA2CF,SHA256=05FEFBE7AE8D6AB1ED26BC996F33ED22CA58FD338684A1D4DA49E2AE4D6042D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026329Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:31.885{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026328Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:31.806{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669CF7D7343867A7E11FC97F9B3475F1,SHA256=CDC1B58B545A992C14ACD78ED86EB04B47B9F6863106ECE360CC731C4FD95091,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047039Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.666{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52299-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047038Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.665{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52299-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047037Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.656{80A11F3A-A00D-6124-2700-00000000F001}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local63082- 354300x800000000000000047036Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.586{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-391.attackrange.local52298-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000047035Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.586{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52298-false10.0.1.14win-dc-391.attackrange.local389ldap 354300x800000000000000047034Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.578{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52297-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047033Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.578{80A11F3A-9FFD-6124-1600-00000000F001}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52297-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047032Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.577{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52296-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 354300x800000000000000047031Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.577{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52296-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local49666- 22542200x800000000000000047030Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.664{80A11F3A-B9C0-6124-1809-00000000F001}1796WIN-DC-391.ATTACKRANGE.LOCAL0fe80::602a:bdbc:a5ca:90b5;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000047029Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.663{80A11F3A-B9C0-6124-1809-00000000F001}1796_ldap._tcp.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000047028Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.662{80A11F3A-B9C0-6124-1809-00000000F001}1796_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x800000000000000047027Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.659{80A11F3A-9FFB-6124-0B00-00000000F001}632_ldap._tcp.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\lsass.exe 22542200x800000000000000047026Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:27.659{80A11F3A-9FFB-6124-0B00-00000000F001}632_ldap._tcp.Default-First-Site-Name._sites.WIN-DC-391.ATTACKRANGE.LOCAL.9003-C:\Windows\System32\lsass.exe 23542300x800000000000000047025Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:31.279{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB19E9929AAEE34D9A186768F224045,SHA256=6635CDC27D6A52BC93A389D2B2D1DB4259D4BF6D101EE53B6EA068FB6F399353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026331Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:32.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D250B26E79676C0A668DEF0FAA74B36,SHA256=9DBA356FCB57AEA41418ED7D90777223D592EE1FB39112A3B2CA18007AAFF17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026330Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:32.791{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047040Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:32.299{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE50FFC80AA0A6E5F75DA02AEB9F306,SHA256=1B102ED115216DB1C92E299BB9ACA04B3160C1726CF8D6A88995DD8385AEFD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026332Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:33.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096DAD787DF8F9E27168FB3EC87A3D42,SHA256=CC801C7003F03EFADFF5D158DD2ACDBA9C68119E344CD240A5FE66E3DB60FC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047041Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:33.315{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861DA372662C7384E53F6ADCEBE44E90,SHA256=DB6B015BBBA74673D553C58D2C09EA7E3B56EFE7EA5B84D4C5FCE3FEFCA7DB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026335Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:34.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07ECEB745DF6FF92B6F7A7731DFF6FCB,SHA256=CC681955F6DB906806E0EF5EFACF164540E95A705730130A2277FD72F5C3FD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047050Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=25DC5AF073B19827F12ED5F91A78B359,SHA256=1398EFD711A333BD4AB899E0C032F08C1F63C557745D4961AC36F7DFB161E85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047049Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5FABA8D1F234D5EF845895C7970993A9,SHA256=27E91E0C98C10D048C76434AB57969EEB7906ECEA6948B2751B49B9D2337A2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047048Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=87039F9D58C22A527322D73F124922C4,SHA256=F52B322932F8B94D688C580A16AB13B1AB21419BB3E36AE719A2CF5D7A98BB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047047Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=08247C3F614DED9EE94A5DB8443F94EA,SHA256=B7F3099FDFD14C2BB478103DB68A9F3765121582FAB3120FBB2954524CEE9F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047046Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=84013BAAC51742F144127BD29A9A0D7C,SHA256=FBACA3A45E45D28167B6E618492E1784C9FEC880D87C2B6FF50E3DC7220B431E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047045Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=ADCFF6C9C4D7397F93554F7D75557706,SHA256=24693A50FB1619627D6EDF2B0B38FF5FC17A48FB8660E83F91DE02DB4B3C2667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047044Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=373857E56ECCBF8D6E6D123F4F12C62E,SHA256=F11A5D7935EDEB5B5D05B64FA548D60C9B0C3A786AD2E8101AA7423F9F9C709F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047043Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.661{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=412CC20ED191382D7A9CD60AD3E7FDEC,SHA256=8892D3F3DF3B8A6CFD09A6EDDFD4D29A7252752B7F2A3FB1FD3DC0195F8F80C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047042Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:34.330{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA72B51030E6FCC15C53101B3F339FD,SHA256=93C30D362B16957D428B255903E38A20F32B1679A4A60224BA4978631D259ACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026334Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:32.654{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000026333Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:32.388{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000026336Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:35.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEEA04F571C3EF9EEB6D8EC1794CD9D,SHA256=77B56DC91C2CE9AF55755F10AA28F37CDB39F9F08F50D2CC11D79B985A7BF3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047051Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:35.345{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98442556ED1A71D0FD731188DB05966,SHA256=7115DFB6072ACCB4424885BDA17F1305F4B4F6F82DB33682BF959B35945D83F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026337Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:36.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7F44BDED719336A281528CA5C4BDF4,SHA256=3D1628415348A9B6C3A349512D0DD4F46DB10BFC775F9507B57E85D0D971CE85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047053Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:33.182{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52300-false10.0.1.12-8000- 23542300x800000000000000047052Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:36.345{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7876703BC8E07C934185298D70F72E68,SHA256=F7CD64CBC49193C137D05189C426B7B63096A050A4D1C7C6466EA0B769EA74A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026338Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:37.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA8547C46C19944FACF6DB4ADBD3057,SHA256=5F384ED2BE5094A0349B36A117C5D6ECCD79CF50EBB0D5FEFBCA3AAB8541E2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047054Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:37.375{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC966B6EFE41A7A5A8F81078B70EA56,SHA256=EBC9B77E3B0C7A13F7E67460D1918E7E7C5B8F3A1DFD8242614E717BC2BE6B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026339Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:38.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7E49A8FA45BD9903F147FFF33E5F33,SHA256=D82CAC0FF816C5C15E22B4577078C709CF7C078D2EB93A5661697B3B5857BD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047061Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.711{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46868AC0F0138BD18285FB54894A5BF8,SHA256=8CE4E075974240DEC582617E7595427591D2C16AC23784A27B037CB452942B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047060Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.711{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=931C50E2FEE90984F9968FD12EC294C2,SHA256=23033FFCF3C09636E56AF0361F15ACF1C4C84B07C482DFA20B455829EDD8302F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047059Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.458{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\AlternateServices.txt2021-08-24 07:59:38.155 23542300x800000000000000047058Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.458{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\AlternateServices.txtMD5=6D7B289F5EEE191E3BFE55EF41855129,SHA256=FE20DE12566ED7F807737756EF4E6B87E534E3C38031F5DB46052EF15CCF7189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047057Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.412{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F8D591E3F9B08303B3FDDBA179A0D0,SHA256=E8A51415BA23AE90A6626E0B9D8BA5AB3C7EFA464BDF7443117D07A3CE94911A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000047056Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.412{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\SiteSecurityServiceState.txt2021-08-24 07:59:38.087 23542300x800000000000000047055Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.412{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\SiteSecurityServiceState.txtMD5=7D19994562DDF7DB67F0BCFE73FCF6BC,SHA256=A169245502FFB7292E88D5445E9776773702B3BC6CDE7E8052A657F31223866B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026341Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:37.685{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026340Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:39.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B150991E02ADC053696C6FDD7FC9B347,SHA256=52EE30A94E0A210B1149A2F8EADC1291600318AA39092F470DA47AA941D508B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047064Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:35.613{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52301-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047063Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:35.613{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52301-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000047062Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:39.442{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C34E9B2BB968466E94A117FF36639A,SHA256=2FC6C65D62C3049D8A6FD3B27D3A4D4A16EBFDA5E0A51935F823F86BA422D909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026342Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:40.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F54207D909F65B5CFB51662EAC0DC8,SHA256=07467BF8F94B795BBF70B752FDAEDFABE7F02B7BC8387EAB798242CFAE306273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047065Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:40.444{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1202867E4B91E84202F53FDD588B6139,SHA256=2F9951172C9C24590B41312E75A21A64D2DB5874BF3543824F3900076B43C43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026343Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:41.916{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D145FE42920943F3205CF9E880AC586,SHA256=F267E6AAC1DF155549FC9C69117B7A465CFAE55373D120D735042BAA00F1FE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047074Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.458{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58C136D7F3524CDCB5738E6708AFB67,SHA256=6F4403A8F1D3FE57109A8E618FE98C0E6DFFA0A2BC9A40842ADAFC48B1C94D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047073Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=630A88A5A2DC5444B88E3168B45BF4D9,SHA256=FC9AB29EB5E70397FC87E331E20AE3C18834AA52DBACA0A60B0966153C6A22E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047072Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=290207451E901496A969B4717DC52C1A,SHA256=EB13E710295AD7D7A8468B0CEACFB8677EFF611FE90456F0EA2B502A758AA61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047071Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=ADE0D591C8BA27E0C45C910F89B27BEC,SHA256=72939E7106449F578CCD6CF7E289D0371251DDC7E0E6C7D2013417FDE005F99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047070Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1A9F3C378A26B6024CA78CBCEC0FF70E,SHA256=05CA3A934307FDACF5BFB1B5F12C3E3A4ADF31630829293045E0A5275040E197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047069Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B1116B396B212CD3ECBD3EE7C6AED374,SHA256=F569B1891EB5A2056C737EDA1D6DD1AD820243B02E8DB6E1DD3ACE86A2A86130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047068Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D218C4956ACA875910C8823F8A3643AE,SHA256=DB1105462EAF49753E2030D6F36BB6EAD60EA8C11B2BB823DE932B6996F6F99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047067Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A19800FE03A75719EFF559C5561EC39A,SHA256=29C86382BA44E2EB578B33C12EBC310DEE99435124139D9AF95EA794252EB082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047066Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:41.143{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=033F22DCCCC9E91A945F89934DB4C714,SHA256=AE50E2C8C595005228E88B7B4875BD9361A900531695104ABF201F88A376A5D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047076Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:38.934{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52302-false10.0.1.12-8000- 23542300x800000000000000047075Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:42.474{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D08BA0C05B0CAC5311E2FD3514D7D1,SHA256=44EDC53AA0F9A06AA637D3F7FB308D7C74EAAC27FEE7EBA483AC6EEBA68C86E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026345Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:41.249{D371C250-A1CD-6124-1100-00000000F101}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:3c3a:268e:f5ff:fef0win-host-944546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000026344Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:43.150{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C2C7322A8CB1181A614F0C471115B4,SHA256=B24B5EDF75857C0A49666AC8D768FE3643E518D68F3932297F31A2FEC9F6B956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047077Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:43.491{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D411682BDE1EB3F4B7776EE822DA0780,SHA256=8EF7DC4965CE81E27E57F4B7EA73236DAA7E56F5599312987F01CD3FD68DEFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026346Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:44.385{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731FB88AAE4C385DBDB1A12562FF5259,SHA256=1C92C70CD142B6561F75F44F1D3273890E799CCFCE7D90DE615A5D2986165614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047078Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:44.510{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB244C5235156365E6ADC0BD53B7EFA,SHA256=D69F15C13EA96591709620E59738E271D96D6370FEFCE64562F7EC2935088497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026347Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:45.619{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39197F58898A2CBDBD4ED741674FB97,SHA256=1E1BC62E9EE3D546D20F151B69D716046E2FC4F458DE08781786AB28E8444AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047079Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:45.541{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2683136D7372C374D5485BB58B67F03,SHA256=06B7D5627681C3341881F2B7EB59F5D8A08DBE0A099E7CF6153BDDD465D8FE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026349Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:46.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B9C96A7742C56F62C9EE603E822A9B,SHA256=0A975602DF9E2BD9F440B8B9F3BC437D26319B093BB0E9F6776336666D003A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047080Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:46.543{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E4B0B2B5E8D0EB28C3D6DB7A464DBC,SHA256=3357754AC104CEDF834997A4734A67A2213A0B63323848CA671BCBAEA2E5D8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026348Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:43.685{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026350Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:47.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8241A199E8A4F6C3126B4494AF91A2,SHA256=8D2CD0D79AF5477BBCAE2568EC23FAF3297F37DAD60FA1DAA6960C4C6669887C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047082Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:44.164{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52303-false10.0.1.12-8000- 23542300x800000000000000047081Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:47.557{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DF89BFC8001595B6BBEF2E35A7D7AD,SHA256=BF193DC3F3B76F5ABEB63BE82CE493EA56E583133569152FF77B9618A4FF4089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026351Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:48.807{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E4822A83F9CFBD5E8355FE73027147,SHA256=23D4E80203F69DB85170E4D0554B46FC45EB4E81C282A15135AF33FDDE6E4F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047083Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:48.572{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAD1EDA8E1DD8AF08E729FD93F6B824,SHA256=E86E849DA847761F0267DFF861BEB39BBD635A7B9D6378F4E50CE2A8AF234876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047084Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:49.572{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0264FC7BF5BE175A45852279BE4AB508,SHA256=941C1A0E6F33FB405FF11EAA58C69ECA7C0A21E8A6E5D9795B78474F137D34B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026353Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:50.809{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=84D41EE810AE1415502149324BA96998,SHA256=11CEB6DE00518237877483F237F92F50FBF34B9206C9C83682A25BBAE41555E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026352Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:50.043{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871170417D7595F573C9A621336BFD2D,SHA256=CDFEF9E3D7EA55F42AFFD755E9181AE9BF03BD384E076E8312964FEB2EE1BE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047085Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:50.590{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BF2DA5F8C4411EDE3794433DC30178,SHA256=FDAB746B0383C46F122F687A58660A0DF5F534A1A7F72BFE133092ACB5B88542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047088Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:51.608{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F112180C952A370B44E90C761C15F3,SHA256=B72F663CBCBDD3B4AFE45724819BC2625BFA46C66BB590E2F51722A3504F593C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026355Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:49.673{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026354Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:51.090{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8555C5761B75603AC9178F113BA2E215,SHA256=9147922886BD9396132BBBA7694EF2477A74562AF61842E4EB95E4A03FED08C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047087Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:51.124{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047086Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:51.109{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=634908E5F7981C34B05B322668D7C02B,SHA256=E2F930805EEFE498D287DEDEB5F5E584D9752E14774B2258B5EEC02ECBFBDC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047089Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:52.639{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4580F16EBE70D74746D9F32D7BFE54,SHA256=C140A7064C7DC7605E00B2EC377FCD3779557B89D2F9DE7BBB29E9860E8CA9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026356Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:52.137{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F6B72208DF597F1622A2E81337EFC8,SHA256=D61647A50C0BD7D52E5C745AA32A44EA1A191E411ED98DB047D544F25C2CC303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047091Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:53.670{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2119ABB33D5F68DDBE9F1B17E24E3AB2,SHA256=84934A07FEE5607CDEE397C6E0E928FB231DCFA315FD202EBE963B81F279A269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026360Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:53.293{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9165F3F7DA979559BBF92F054BD42ED1,SHA256=EBE5DEF7B939C5CEC0D9F73CF96667A5B5C9534C9CCC54761FFBC124CE7C798C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047090Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:49.032{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52304-false10.0.1.12-8089- 10341000x800000000000000026359Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:53.262{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026358Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:53.262{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026357Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:53.262{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CD-6124-1300-00000000F101}796C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026361Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:54.418{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4801754F4A0CEA52582385B458828074,SHA256=12FE1EF2764D323862BCCA27AD35A02F1DCCB924AA9478DEB6E87626F19D148D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047093Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:54.687{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F1A79718E8FD688A379402BFAEF6A2,SHA256=33FFB1AD29D544F9EDE0FC0B9A25CD938FF3E28479BF6929645CDC2B1A0B22B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047092Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:50.112{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52305-false10.0.1.12-8000- 23542300x800000000000000026362Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:55.528{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F513012BCCFF7B324BB2AF31753130,SHA256=9AE85312C56C4E255C9A6B19D1D0FAB064C19754A320659708C00E29EBBE7F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047094Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:55.706{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B732C49CD8E1CF430B74254AB9EE04,SHA256=F109DD88A8F822E8A70A58B55FD5E1144C1F6A1B001DC694F9FDC751AD45A7AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026363Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:56.653{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCFC63D60D11DFECE2E1919F46223BB,SHA256=2B131073E2C59849C8BBF2B3212B2459C8D027364A24172C7F82BE32D7735AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047103Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.736{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F7A090B8213582BF942FB9F4A51362,SHA256=17825D904F56BC64294F52D683A9A020B197A3A58C1CEEE2D723E9107DC2D68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047102Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=E2D4594DDA6FA619060A81816B95BD8B,SHA256=3BCE92152BA34D27499D3217318DEB10020BD0FE0B77786CBF4F5AC035D60C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047101Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5633F2C5047274EB60F6C26B0233381A,SHA256=DB16BDE6D989E6B99122322169E7705EA330DC879F8F5BB983C4BC16EC98376E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047100Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=7E49D3C0CCE63E09DB3C5D08C92DA9B0,SHA256=99193EFAD84165CB94323DD5C6DF8F56386EAE0D16523AFC754197B38ECCAE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047099Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.189{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=CBB3027E6157872F3F5455A4AB4857A3,SHA256=E57CAAEAF3022C7DA27B1AAB2C914D28DD75A22A6754CF22D7236E7720D10062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047098Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.188{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=F72B3DE04C18C30AE0823D0183578EEA,SHA256=09291B918398D42C69DF1B2C48FAD274DD0847D9B480A3AE1EFD055220E2DB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047097Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.187{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=B98788506C8995CDF592F7A14514BE93,SHA256=B1CF396E058E6938C6F744CEB0E3A4303B9E155CACB151A81AB4B1940165EB1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047096Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.186{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=45512C6E1C764A56FEC661CB7705E92D,SHA256=1AA642C368C418B20B66C146F518996B9D242B6C007E6E2E68099766A9D05149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047095Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.184{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=610CE8203617272B8FCE6C423C2CBBE6,SHA256=DA4EF4BBE5B55986A85779F0A096173AC850819783BBB0AB0128FC0E00F34F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026365Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:57.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8434A24B1527D4F8504CF90B28197DA9,SHA256=1A32CE65257FB4A2C8986BE62C956346CA476731FDDEA7D8A40BF2632BF0A78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047104Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:57.767{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6213120FEF9D33EB9ADEAB7A47FF6A0B,SHA256=F5B6DBC13406DD8DD851FCE72EA25425812207021DD7C8DEAF0C7BAEB20E1864,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026364Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:55.657{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026366Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:58.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAE8544900C5DE9EB0E332825A20822,SHA256=0BD118A611CD1B9692993A42F9EA7D5383D9278A281FA3B1D44689AD26EAAA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047105Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:58.768{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C95461E55B57042C6A392CAE0D247B,SHA256=C6E4CAE6524AD896B12D3021D67A0DDC4A73494A3BFB89DB5025D68BEFF82D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026367Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:24:59.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB53EFD3B317F33D776ECDD477F06E6E,SHA256=C54292683021666DEB8F4A66B70F040107093B86C59E10BBF5DB5598C5839317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047106Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:59.777{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795EE86BCE6E91C9A7F6A983B0E12F4E,SHA256=F12EF9A35982C8CA611C41028C23EF9C0ED27A7609DBA4986D0D2A8F97F05A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026368Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:00.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935EECDDBBDDD2D468B158A3B58932C8,SHA256=A3B4213BF821F283059CB54F7F77298810AA452B7D3275CC2ABFF207A10FCF6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047108Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:00.794{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C940B4BA848D57DBB9D06F8034376D4F,SHA256=25D595E0D75819C7AE2A07A4365345012539E5ADE13398433BCF54364D815CFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047107Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:24:56.074{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52306-false10.0.1.12-8000- 23542300x800000000000000047109Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:01.814{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADB3BB1DD6707D9DA2ABA7E3671EC71,SHA256=929031C4981A62E5BEF7B61C618C8373728A06F86DED2A650A66868EFF625623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047110Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:02.829{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7D1931E809C5DFFFFA93823A91EC76,SHA256=1B9E56A306CD0BDBD239C9036FECADBCF7DED30D04B474C4A3280126ABD112E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026369Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:02.043{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296E8C7847BB113A5EAE86A3D926061A,SHA256=0B45CC2F3DBFBF713094E43F23AA8FE2C7C31AD497BE32D52A729CD669AB8353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047111Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:03.844{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16734950EDCBD9D8B17968CF4CF993D,SHA256=6AAEC1F15C57B4C7F2435C60E0FBF83219F59592A3938EC84A631976F405A401,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000026380Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000026379Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00623af9) 13241300x800000000000000026378Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c1-0x896b5edd) 13241300x800000000000000026377Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0xeb2fc6dd) 13241300x800000000000000026376Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0x4cf42edd) 13241300x800000000000000026375Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000026374Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00623af9) 13241300x800000000000000026373Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d798c1-0x896b5edd) 13241300x800000000000000026372Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d798c9-0xeb2fc6dd) 13241300x800000000000000026371Microsoft-Windows-Sysmon/Operationalwin-host-944-SetValue2021-08-24 09:25:03.278{D371C250-A1CC-6124-0B00-00000000F101}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d798d2-0x4cf42edd) 23542300x800000000000000026370Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:03.122{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C269E22363EAD0AEF40858D0058B7C,SHA256=E04C4C8E4D10B5ECFFD1938BA76469826885C3485A6E1A899BC63BBB080487CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047112Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:04.859{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA108BF92CDBFA5300FE7A428C9171CC,SHA256=500B31780012390469C53B78795ED5BBE94451E4998183B3B498D43D6CDBA86B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026382Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:01.641{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026381Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:04.356{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62F49B07322F29897A3F4F3EE6B7E18,SHA256=D24D550605D3F8B14DC32BE36C77B8F1539F96118D4F1CF6F4387223DFA69578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047114Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:05.859{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B24A54A6D0EFC91CD9A84C41961EA1,SHA256=3AF4A5441712782EEE80B417AB59BF4DB085B13B73DD9AEF300D2C81BC25134B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026383Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:05.372{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC00A6751565A2FA304CDDC93AD11221,SHA256=4A6B7484E382BEEF55F7EF190A1E0CADC37326F90ED3C83654A20EE123B1DE29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047113Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:01.152{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52307-false10.0.1.12-8000- 23542300x800000000000000047115Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:06.861{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561948A944A9C41D0B6D221322D8C4A4,SHA256=2D9B3B7D28712FBB835931CF9ADDAD582F22EFB86E7E5D8C257F858C8E573250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026384Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:06.418{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B015C6F42248EF85FEE40C5EBA840F44,SHA256=6DC060635433391BDDCCD74A9E902207F43A82E74A67CBA107CA17AF2DFDDF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047116Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:07.862{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69C5CEAC79A5E209C038AC86B613F6D,SHA256=F1889DEDDABB92C2E93C3F3131CF15FD64AE8A76EC6A41B01FE489032AFE4849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026398Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF3-6124-A806-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026397Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026396Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026395Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026394Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026393Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026392Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026391Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026390Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026389Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026388Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BAF3-6124-A806-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026387Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF3-6124-A806-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026386Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.872{D371C250-BAF3-6124-A806-00000000F101}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026385Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:07.528{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6674022B118EA32757EBFB76525905D0,SHA256=E29A22D2D04A8AC8EC76F6BE21033BB8E3B05A70130871AF24AB1D9E4BF72ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026413Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.825{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9BFC4FA93C2DA4F8B9782C552AE83E,SHA256=DF58457B15AF0CA47CF7689798F6BA809373292E5EA2C0CBF7FC38298510DE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047118Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:08.863{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B3A6385C2C122DF6C39F3282F220D0,SHA256=95CD59C89C1AB54248434A1630522FE6D5F863E8B6F0EE187266FD7DD71FD2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047117Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:08.331{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A7AE611958BC170D8F9AD18A8BAFDF33,SHA256=AFDD69C319EDE7AEBFD5ACCFEAF2521043374487183E921A136CA5A7B1E78216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026412Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF4-6124-A906-00000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026411Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026410Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026409Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026408Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026407Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026406Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026405Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026404Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026403Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026402Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BAF4-6124-A906-00000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026401Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.543{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF4-6124-A906-00000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026400Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.544{D371C250-BAF4-6124-A906-00000000F101}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026399Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:08.092{D371C250-BAF3-6124-A806-00000000F101}8243324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026430Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BE72518882215A3144DB4FA10DD3BF,SHA256=F6C4CD5F7E369089F9E3D9A8ABE12846C0A271312EE6C8E1819F7E47F41F69B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047119Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:09.878{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DA049FD768B66F58851DC7D09D8907,SHA256=8DAA2DD549CEE32F5CE6F7F79D927C6F97A515AAE9BB3C13E6E729FC99409189,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026429Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:06.704{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026428Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.106{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17652426DD274E60B5BE6263660AA39,SHA256=3C69CA7D34626509B402BA893C73144734CD1761D355FD08DA5DA1EB4F2C046B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026427Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.106{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6AD61FBD5F4B38E2346C1FE32923CB5,SHA256=DCC525FF8C9D20C742A1297544AE7611C7F8E5DA39073180937BC294B308C074,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026426Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF5-6124-AA06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026425Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026424Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026423Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026422Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026421Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026420Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026419Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026418Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026417Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026416Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BAF5-6124-AA06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026415Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.043{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF5-6124-AA06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026414Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:09.044{D371C250-BAF5-6124-AA06-00000000F101}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026445Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F893DC2DA75EB96FAC9D6C31EB36EF28,SHA256=A45336D4DE81828BDF800063774FDFFC9E804324880C69F096A8312461B4B246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047121Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:10.897{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA85090FC3B1407A2C4AE1B8AE3D8850,SHA256=65A2FB279248D5244DC614C0934E5DB8FBF5A2D17206A804A8ACB881A92CE3DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026444Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.220{D371C250-BAF6-6124-AB06-00000000F101}3316352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026443Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF6-6124-AB06-00000000F101}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026442Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026441Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026440Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026439Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026438Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026437Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026436Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026435Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026434Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026433Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BAF6-6124-AB06-00000000F101}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026432Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.048{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF6-6124-AB06-00000000F101}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026431Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:10.049{D371C250-BAF6-6124-AB06-00000000F101}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047120Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:07.017{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52308-false10.0.1.12-8000- 23542300x800000000000000047130Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.916{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAA0DDB338ECB4EB7E014F8246F6CB1,SHA256=0EEE6FF52120AE47516A7C418EEAFEA9F8FA36DC146849697704B13A984C74C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026475Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.986{D371C250-BAF7-6124-AD06-00000000F101}34682424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026474Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF7-6124-AD06-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026473Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026472Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026471Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026470Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026469Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026468Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026467Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026466Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026465Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026464Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BAF7-6124-AD06-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026463Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.845{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF7-6124-AD06-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026462Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.846{D371C250-BAF7-6124-AD06-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026461Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.830{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AE8972EA2EF2B6E75639AC6AA1D673,SHA256=2A31896E398BC8BAE0A3AA376633E1A52FF3911A93DBE9B94F767AC181424334,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026460Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.345{D371C250-BAF7-6124-AC06-00000000F101}20042072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026459Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF7-6124-AC06-00000000F101}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026458Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026457Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026456Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026455Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026454Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026453Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026452Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026451Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026450Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026449Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BAF7-6124-AC06-00000000F101}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026448Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.173{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF7-6124-AC06-00000000F101}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026447Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.174{D371C250-BAF7-6124-AC06-00000000F101}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026446Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.111{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17652426DD274E60B5BE6263660AA39,SHA256=3C69CA7D34626509B402BA893C73144734CD1761D355FD08DA5DA1EB4F2C046B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047129Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1DC5A43C92C0639AF055F74AB9559D0A,SHA256=1A676252074BBF298DB3E5429C4E2FB95BB34CFBF9B1E03DBF2F0E2F7174D50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047128Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D6A0A7CCF3A12E91E024DC7DC94F7EFA,SHA256=C9261A5D3A29AEDDCD09FCEF7FCE48C5C5D8E68C0C7EAD0FC458A76B2C1C44B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047127Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=74B9AA6368489CECB546A2FAB4D7EA95,SHA256=4419DE8679FCE057A64AB0D66FE5692CA5AC761203E033A7C17DAF74690D49C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047126Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=5DB3120E9F15FB94AF1109D333B0E069,SHA256=0CDCEFF14D7DA3991E9695878988BC822FDD1CD4C748658C8AF1D2EB92EFB9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047125Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1160D66B9D5924C4F26AF3D6D6867D5E,SHA256=DFFB79248637F4025267824244187E80CE8D20B71ECE86B6B76FF62592FF1086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047124Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=A1E4ED1AE72BB165A9FD923478FD2578,SHA256=8BF7A8D18D524CD7F30B0FE7507BEBEFA6EDD6D8CDC93A3CD9C693231801BA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047123Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=30F6A2E6AF47454DF85798203912367C,SHA256=5C02496D7D07DBEB3AF55ABEFB19F66A216A6397C53951FB02426E65AD102068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047122Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:11.263{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1EB2BE1CE55EC1B516D8843536242F2D,SHA256=8E89739FA00F0315C6E4CAAEE3167EF5FD6A3671E6EE82EA05CBE9BAA767354E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047131Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:12.930{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C93DD3822D8F7AC529F336006565C94,SHA256=FC00523DCA55E08C7C0E23B08D780E754CE5BF813481D7AAD4D6A64C69B221E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026490Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.939{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197E85B8FE1767341C34EBE7B3B22D04,SHA256=1296B72FF0B112D652E3424C26D68E2F061849FE00C457D2C8E0B1A07325A10C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026489Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BAF8-6124-AE06-00000000F101}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026488Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026487Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026486Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026485Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026484Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026483Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026482Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026481Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026480Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026479Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BAF8-6124-AE06-00000000F101}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026478Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.517{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BAF8-6124-AE06-00000000F101}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026477Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.518{D371C250-BAF8-6124-AE06-00000000F101}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026476Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:12.173{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0613BC3277F4C46E4F6DAFD3B71DCADE,SHA256=A6AEF1D91C8E2C1618649C35DCD1963CDE52D9BAA35FAD31286382CD49077BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047132Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:13.946{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B9BB447167246FDF0FE6C62816E681,SHA256=A312027C76B09BC0E667AA7B99B7ADDA7DEAE285CD0820EE0262A237AA4B7FDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026492Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:11.740{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026491Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:13.626{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39595E3F70E5980DEC0B486C130633D5,SHA256=BE749E600C10CA24CC02BB176D9817F41FCD24745802CC7376E550AE372EAF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047133Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:14.961{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DB7B2AEEDC3460F278635E61C63831,SHA256=C9D41CFB3583EC5AD1429E77E3ADFFE99786FEA0A6E87AB6E5D53A373D302862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026493Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:14.142{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAA22DE7A2E0E52715C17C153EEC4C3,SHA256=CFF1DF7939DF4D1799E3AB5A7202AA8D4C6BA20A49EAE82BA07CDD04C2542EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047135Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:15.976{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3B2237F5B4240FB12F2256B68A06AE,SHA256=21E86FACB2E78CFCC8476F7B47C612707C94542B3CBA0761117450D5D4818EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026494Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:15.361{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A045F313C2CF538A5DFB0B59C945BFB,SHA256=AF023A43F33A2967D57C93D9847EE056C671FCD1C66953157FBCA187629D425B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047134Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:12.055{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52309-false10.0.1.12-8000- 23542300x800000000000000047137Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:16.997{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247DE71FCD05893B50D4D068CEC6699B,SHA256=42370CAE2030AE2C24C8A2D9AD6F677FF711B944C84AF3F06D1E3F2E63CC8C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026495Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:16.423{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6406D31E75D13478DB8A89D476060DC5,SHA256=02D5813814BCF09CB3CF255D7EB092975262E204033B6F18725A3022560D6A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047136Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:16.195{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-111MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026496Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:17.486{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F7B9045C0715053CB7C2B65CE0EFFE,SHA256=3E22CBF3B587CB59C27A7D989C51C74DF7F4A994DC2E90E6F14ECA69AE1C2873,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047139Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:25:17.829{80A11F3A-9FFD-6124-1000-00000000F001}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d798c9-0xf3e2d8a0) 23542300x800000000000000047138Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:17.215{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026497Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:18.720{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0A89CAFA1FF14E8813E09E6AB645F5,SHA256=90496944F4DAA448E98C6B7759EB502D5758E0FB9DB3FBCCB6820778F5D206A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047140Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:18.013{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AEBE5FAD4E7E72167FD7E666772E30,SHA256=FA8A22DF9FBD6A3381C78455BF66B55BF4DA71997024E88EEB4B980CCCEFDDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026498Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:19.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2350BE349A3080F527C941A9BB17D53,SHA256=6FABB74EEA06267602AE82CB81D44A1AF9771B8BC2E1F0D70011CBBE28F9C1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047141Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:19.044{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FFFB074861117C9FAA4FD7024242C4,SHA256=CE3E998070E6A5AF4BBC13703B7D4AADA9DBE5F370E4FBA3E7107166A3E6F901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026500Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:20.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6099EEF5C4DB25809670EB947E2D26FE,SHA256=D514A801598488D23F463CCAA6B028E4A9D7B0CEACA8AAC7E5FDB29A40E3A949,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026499Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:17.756{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000047143Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:17.068{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52310-false10.0.1.12-8000- 23542300x800000000000000047142Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:20.059{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8299BABCA59F5FCD3C55E6C7738BA38A,SHA256=CC2D1F736D10B789BE575BD88516DD13FC457B3DD6360F9F63320704DED901D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026501Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:21.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D0E18D73124D1C4272CA464F22B4A6,SHA256=39103404D859E2DC482D953013BC9B151F7C023F76A6067125DFE753798CC3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047144Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:21.074{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F61A4C850C0B81DC97309AA334AB6DD,SHA256=FB1CBFB4E08FB42000337271AFE2BEEA5EDBC2E2529E3F37AD80BD4318D41342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026502Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:22.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0441FAD111B789436AA809D1C3070003,SHA256=426B401D1E069714E5B52F00A60CC3E4320F861EC6F94DF3D34E303CC91464B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047145Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:22.092{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00446CCF8B3AD944B8F6C3DC9C291CEF,SHA256=B28E0E3172BBE598CD1C8B63B1DF8067D4F33422F18A7CC18BCF6C777C0C8913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026503Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:23.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF23CE33C353DD6284388D5185405273,SHA256=AF59DA7E5425D5CC4F0A725975DB1B7DD7200CCD72685A1D8C2342786A9887C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047146Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:23.109{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6963D58D4C57FBD0179871894DC1ED8A,SHA256=D8A306D07D88217652BF12DF20D0292892413E01471B5DE47B2AD3DC0E246D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026504Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:24.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08279E0089B22981B6BDCB5E5DA504A,SHA256=878D75E3B9B2C930A40C605AC63061D139DDFCFF266D838FEE2E1DCBEFA32C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047147Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:24.140{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882D6A6CD91E540637219B8C0B3FC132,SHA256=51A2A545A9D9C8AFB4048BF2C0439F9E5D7B403FDF3173FE4A5E844B876702D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026506Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:25.845{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B5181257819E5DE979C7EF09ED19F9,SHA256=A110A6800DD68204F8CA938F2850CA818EAC75E08FF031995CAE241AE1B70817,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026505Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:22.865{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000047157Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB05-6124-3F09-00000000F001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047156Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047155Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047154Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047153Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047152Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB05-6124-3F09-00000000F001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047151Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.638{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB05-6124-3F09-00000000F001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047150Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.639{80A11F3A-BB05-6124-3F09-00000000F001}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047149Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:22.079{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52311-false10.0.1.12-8000- 23542300x800000000000000047148Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:25.154{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F3A96A85DC0060557E5F467A97DEE0,SHA256=6903E62BDAAD0EE7273EB09DF3940F9BE8BCADB5F07134856D8BF38FCD337B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026507Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:26.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A249ABF66312B7A595750AB7536211,SHA256=435AF7CEA6B0AAD52B798AAFAB72AB5B85E9EE8B8F3FA750D0F6CE2038974D90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047176Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB06-6124-4109-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047175Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047174Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047173Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047172Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047171Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB06-6124-4109-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047170Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB06-6124-4109-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047169Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.822{80A11F3A-BB06-6124-4109-00000000F001}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047168Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.653{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=911B06E8D8B0EE1F987AE19AFD01D403,SHA256=7CFFE38109926B695A7955F9DB99C317D469D91CDAD815546D4A3F5B2B04726D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047167Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.653{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46868AC0F0138BD18285FB54894A5BF8,SHA256=8CE4E075974240DEC582617E7595427591D2C16AC23784A27B037CB452942B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047166Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.191{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042F20549A6CDB95624D6E0073B1754C,SHA256=3A4C2AC21C84ACF14BDF3F7F25FEEB44F6E390D6D1CF61DC0445CE099DEDEBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047165Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB06-6124-4009-00000000F001}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047164Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047163Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047162Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047161Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047160Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-9FFA-6124-0500-00000000F001}416532C:\Windows\system32\csrss.exe{80A11F3A-BB06-6124-4009-00000000F001}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047159Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.138{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB06-6124-4009-00000000F001}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047158Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:26.139{80A11F3A-BB06-6124-4009-00000000F001}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026508Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:27.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D69133278F804C87D9280FCFFE1A9C,SHA256=0D0CE85F549C32942DF4B0DB447EF9CEB96C9DF1B4C76071F955F5EB93B3FF5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047187Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB07-6124-4209-00000000F001}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047186Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047185Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047184Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047183Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047182Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB07-6124-4209-00000000F001}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047181Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB07-6124-4209-00000000F001}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047180Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.906{80A11F3A-BB07-6124-4209-00000000F001}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047179Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.853{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=911B06E8D8B0EE1F987AE19AFD01D403,SHA256=7CFFE38109926B695A7955F9DB99C317D469D91CDAD815546D4A3F5B2B04726D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047178Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.222{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61A40A8274483F3D42954DB97E76DDD,SHA256=D68724CA435B319D9D056C2F4B07FA233F0404177A9302C60BD3F3C10331C60D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047177Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:27.006{80A11F3A-BB06-6124-4109-00000000F001}51725664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026509Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:28.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08391D2E2B83C90A63B1A0A40C5A1796,SHA256=90389A2F0F8EAAA1ECB79E72918EF7FF6E2E83F4B07963D02203F862192377F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047199Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.921{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B563DE8AD1E23F46EECAC3942CA6593B,SHA256=1C98890D82FEAE366364C0776DDA139632A69D1886D0DF399A8353D3A617BED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047198Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.689{80A11F3A-BB08-6124-4309-00000000F001}61165752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047197Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB08-6124-4309-00000000F001}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047196Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047195Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047194Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047193Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047192Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB08-6124-4309-00000000F001}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047191Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.505{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB08-6124-4309-00000000F001}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047190Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.506{80A11F3A-BB08-6124-4309-00000000F001}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047189Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.236{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC020820C11D5C162C2BB65D5FC64471,SHA256=67BAEE51A283140B9E11FF178A570CFDB35A54DD10FF00A077E20EB1D03BA932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047188Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.068{80A11F3A-BB07-6124-4209-00000000F001}57162140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026510Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:29.861{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CDB98D410F455074B9A9F44EC55044,SHA256=1421219CB8A39555A7E06F76B83607F365B7AB56D9E156384E64C4B89514B72E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047217Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB09-6124-4509-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047216Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047215Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047214Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047213Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047212Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB09-6124-4509-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047211Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.788{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB09-6124-4509-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047210Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.787{80A11F3A-BB09-6124-4509-00000000F001}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047209Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.305{80A11F3A-BB09-6124-4409-00000000F001}57406372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047208Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.252{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2AB3956BC27CDE776F7E552960FED,SHA256=F94EFF225FA5B76E0A295655356090485253F6C1FE44040B346812D98F8DF523,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047207Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB09-6124-4409-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047206Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047205Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047204Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047203Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047202Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB09-6124-4409-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047201Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.120{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB09-6124-4409-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047200Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:29.121{80A11F3A-BB09-6124-4409-00000000F001}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026511Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:30.877{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D26E67F3CD02349FEF7CCB4E84E5FF,SHA256=56FEBC6344B27C264268B596E8EE88D630847C8DE114696BE14EA2A2976E3EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047219Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:30.252{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3C8464A20784F535D8B5B6D12A142F,SHA256=8FB12322212088526DA9B208E26CBAB27402E5C38D6844E2998874A90E22D2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047218Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:30.136{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DBE4A46AD2833DEE71418531CEBBFDE,SHA256=CF03462879599B62C2EEB8A27414F9BE7108DAE4BFF217DC1788C56ADFE72B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026513Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:31.877{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF1EE401FEED8F29DC8C7311BE68913,SHA256=0FD3E0F52FBEFE41728BEFA3E780D0C478633476F7E7508BE98195EDC271C298,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047221Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:28.007{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52312-false10.0.1.12-8000- 23542300x800000000000000047220Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:31.267{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC23EEBF315B212CEE360ED61ABD4344,SHA256=EBAA97F654DFAA75E4912ED73A9CD26BA063D247B4A164C2998177E14A36BD17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026512Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:28.662{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026516Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:32.889{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7590515640DDBD41CED363056C8ED9,SHA256=C594675B1D46891C0A6527D3B0389492447F7DCD7E969EBA47AE1191DCFA525E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047222Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:32.284{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4597A34417E906D081C99B25C3958AD,SHA256=125ED91E488761B0C030334741E7B3B81972D17D4801059E9776C5075CEFA22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026515Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:32.811{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026514Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:32.411{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-104MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026518Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:33.903{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BF72258151950F3397135D4D6C2883,SHA256=F14FC01D94E920BF4D1964C6183C2AE4309F9A87CC0A896EA59E188C2A2F0DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026517Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:33.421{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047223Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:33.318{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4D968D02E3BE88D73AA61F351944F2,SHA256=005041615EB99FB571E096CA059DE319C25B253426CA693C4FF1D496734219EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026519Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:32.409{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000047224Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:34.348{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09FB0FBB9905188A729F18511D90443,SHA256=7CE71079BE6881BBAEE58B63F3E09AA71E026D0CFA033CE250E01151FDED4C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026520Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:35.124{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9E722795DAD0912F31E13807035DAA,SHA256=BB26DDFF87191FCD57AD24892210F2D089571C82341A8CDE636E79FF870D6668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047225Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:35.348{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C28F2858DB7E274157CEAC992FD2525,SHA256=EA6D866E46FEAE23785A4F91821565C71ED92DA9A8BF8EABD9A88A13E15B024D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026522Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:36.343{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0327BA68FFE80C3EFB53F457EF6212AF,SHA256=BFE7833D677110666A89C4EA71D526363B9BACF1E6F72344010358B616C16CD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047268Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047267Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047266Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047265Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047264Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047263Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047262Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047261Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45A-6124-F804-00000000F001}5728C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047260Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047259Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047258Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047257Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047256Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047255Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047254Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047253Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047252Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047251Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047250Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047249Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047248Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047247Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047246Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047245Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047244Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047243Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047242Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047241Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047240Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047239Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047238Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047237Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A44E-6124-D004-00000000F001}4160C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047236Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047235Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047234Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC20474F626503FD83ABCDB190935D07,SHA256=036F53E59B774CF4C069E145F8F37F91E61C5CF8539DEB96C1BB89D528F00D25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047233Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047232Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047231Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047230Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047229Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047228Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A45B-6124-FB04-00000000F001}5300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047227Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047226Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:36.363{80A11F3A-9FFC-6124-0D00-00000000F001}908928C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2E00-00000000F001}1360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000026521Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:33.800{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026523Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:37.421{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42A15994AC6FCE7C02AE291557FA4F4,SHA256=CC2C05895307C7DD7108E7FDFFE5BFBA09AA54A9E062567EFCC357031440EF25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047270Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:34.025{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52313-false10.0.1.12-8000- 23542300x800000000000000047269Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:37.799{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C868B7B831A29163AD0578043D765C,SHA256=E4DE2765857D8AC297935C3A7BC4F3A283C1AEBA15FE7FEEBA96FBB9527FBF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026524Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:38.421{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8075AD3DA9DA2A81750122684F821971,SHA256=0F83C75A62DACB2A3FE3266D85A08A969156D3CCB945A10EF9026CA54BD47AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047273Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:38.814{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB44AAC57170C98B1E439547E27394F,SHA256=86DFB215F24F9C7336215A1FC82FAA6BA79FFD3703421D486F4A40B5EB259295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047272Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:38.714{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96998F7FBFF6518501D07EC0CA73CAC,SHA256=383EAA224D564ADFD8435EBC2121C822628C77AB57B093E3944155FAEFB61640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047271Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:38.714{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D211690C1AEB37D76F0D11284546E6F,SHA256=FEA7526CBBC42D1386E38E75C1BBD9A7D126F2367898FD75119065E6725D1B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026525Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:39.452{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F77133EEAECC0962AD809E14047532,SHA256=E5E17AFA87C45CC841C350518934D1AF8E0039807D80B5464CC10E15051F511F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047279Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:35.624{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52314-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047278Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:35.624{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52314-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000047277Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:39.829{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFF27CDAA325142D279D182DE76CA29,SHA256=6FD7B047C457F51CA6BAA676A13D96A9C755E720BF4E1BE49AEFCF088419AB6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047276Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:39.030{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047275Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:39.030{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047274Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:39.030{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-9FFD-6124-1500-00000000F001}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026526Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:40.687{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEE2FACF513FD39F9B7677A5FA8A0DB,SHA256=7B5BFFB9665C2B29ABC7CEA20EF5D2A6B3AA90B8FD23CD3D4DE5BD4DE7E02DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047280Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:40.844{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB36008D4CEC3B9616A64D850390291,SHA256=06C8357A1F55BD853AA0A95A45774BC033AFA37DDBFAFCF605896263C13123FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026528Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:41.905{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98105C3026457C381609F1765BDA7A7,SHA256=B4889E9450576999DF260802F39EA76913138AC275739313BABF3F1096C2FDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047285Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.858{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1683D206BB6BB2ABF2CEC16FAEFB42BD,SHA256=4CA27D220F17808FF81BAC4B27C12D5C366EEACD9274A7D203AF6C1D453DE129,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026527Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:38.863{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000047284Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.228{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000047283Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.228{80A11F3A-A44E-6124-D004-00000000F001}41604992C:\Windows\Explorer.EXE{80A11F3A-A5BA-6124-9206-00000000F001}5540C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802F6EDE8A8)|UNKNOWN(FFFFDD60FA6A5B68)|UNKNOWN(FFFFDD60FA6A5CE7)|UNKNOWN(FFFFDD60FA6A0371)|UNKNOWN(FFFFDD60FA6A1D3A)|UNKNOWN(FFFFDD60FA69FFF6)|UNKNOWN(FFFFF802F6BF6103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047282Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.228{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF69e4e3.TMPMD5=DE2C2DC7AC7CA60981DEDF95D7D42EF8,SHA256=FCA4BAB71BCBD425757363A708F77D849276031ABC30B3CE7F82EDD60A2457E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047281Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:41.212{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\aborted-session-pingMD5=4BB6A21FB3DD5F49AB4D84E24636C29F,SHA256=AA24F46326F09308C1A5740997C2CDDF07034F64C092CD9C7342FAA551E6286F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026529Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:42.921{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF4E42E60E9CF1FA469454C6C434165,SHA256=01D20A492D0CC52D4DDC6A971F57C0C1E3D6C51EF4D457BD3B0C2C2A57F3D4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047286Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:42.875{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D85E008F81117369CB404C8A20772F6,SHA256=6135ED14AF321327D3D6311F6DD711A9E8539260318F1D80BAC41AD7264B71D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047287Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:43.894{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31ED0275B47F5B1F7D561E898F75093,SHA256=6D5AB47AEC640D7812BBFC0C8B5177ED2868AE7B2AF8C9EF1B56A7E16A8B9E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047289Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:44.924{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40554177F7AFDD77035D4FDD707BE232,SHA256=9E8DD81CD7603449AAAEC454757806616EF13715494E0F6A103C4C44A8BD42C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026530Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:44.140{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C2C194086AA815859AE468D2971665,SHA256=5799C5E41AB8CD86AE0C9407A3C5ED083F9A65BD73453187A413C74110B67B29,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047288Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:40.020{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52315-false10.0.1.12-8000- 23542300x800000000000000047290Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:45.955{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB166B521E97F7C38F923DB406BDA4A,SHA256=2D137B6F441B07DD0049364DE9B056148167E4B1A76949A07828912E01B4509D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026531Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:45.374{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0222B4E782A1471FB21AE3083CB2BE,SHA256=585434AFB09919DFE473C48EC97169B84E75773F64FF9E9C8A469F4965C22FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047291Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:46.972{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2E7FA068FEECB43B9EB1AFCF3B4AB4,SHA256=E812FC9A77AC73465EBBF1905A7350CCFF1707A7234B15D34ACC27BF2F904B23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026533Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:44.754{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026532Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:46.421{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BEFABC692B231BBFE57D970ACE3412,SHA256=B155C462809D24E471E11AE45471E2093BB47CF7C5FAC0ABF4E960724966591F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047292Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:47.991{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC28CEA146B7ECB1C80EF2D330DCACB,SHA256=21F3280E8E656B6BA48C23DE262AB02ECE4F5F81666F803346E16DB6168395DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026534Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:47.655{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C013C2611F0F8A209C8AD240D0E183,SHA256=FEA7139B520001E01E2C1564D9CD11273839361436E98963EFE1317F6D697FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026535Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:48.733{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F38AE5EA7C4B1AFC60C659917015F1F,SHA256=146181C1D38279DED18FF59BF0F76C986899E292AB488E34851D38F2C3433B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047293Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:48.992{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8422B9FA7322F56835BC6DC692977E10,SHA256=BBC0EACCDC69E55F54D172A65E1B1547244FC78085477EBDC2DDF021F6D688AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026536Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:49.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D89F6F43129F249CC89AEB21A4A9653,SHA256=8573AEF5B03BC416F9CC84E0A77F13EAB5416CD939A72C5F25AE3F87D71B1A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047294Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:45.116{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52316-false10.0.1.12-8000- 23542300x800000000000000026538Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:50.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9711792341365ABBBB7F58F6634013D,SHA256=89820372BB3FF2FCE1099F7B1782C49C35753461664429498E6697A8C1A8A8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026537Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:50.817{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6804963D2B99A83877D2BB7A7D84D77E,SHA256=0F662BAF83BC5F4E321A633DCF603201B5E6FEB8CEF7C9C18ACD74986FC05505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047295Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:50.015{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E984350E268FC85E877405CF722DFB8C,SHA256=A736B5D6380A804DE6309BC96FDB30D9320C34A98AC09646C05A0DEB743EC77D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026540Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:51.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6EDB12049106AC45F2B99392B4121B,SHA256=D4EB34D37ADBDA8AB84A621A5A3B5118F930F4B0E4E9DA088D1F252DD912D1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047300Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.222{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=6722A4E765A1E0E3B26E4095094B665C,SHA256=D7E961180E6CF798B60E67CA9988BA896D50E4A11B564E4A7D5F1781FEDE1773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047299Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.222{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=FFC2C1BEFBD71921C55F8DB7A047FBB7,SHA256=3D5333D6B4829A7FD04747A185D8FA270FD5F3A19CED5B4A0CE5A77D06DEF573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047298Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.222{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=EBD23F78DC32BB7583F1C2A96B13A71E,SHA256=D4C148C966BE3B2214328B1A1248AB8B4DFC6FB84E37785EDEDCF5A8D8B22A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047297Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.153{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047296Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.022{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619BBF67E183CDE4CA5812C3009CC514,SHA256=B1BAE4A0E3B4ABCCFD91667A324C76BD2EDF7F8340C85788E54C310732256E51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026539Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:49.853{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047301Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:52.052{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4FB43EA578CA4C32DB33AF72C5D845,SHA256=F98433DED525FC2DB053C1759BDDE1D5D676752D6F2BC27E32EA182FC02BBB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026541Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:53.161{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA14500BEAA0BC127682929C23727C9C,SHA256=B1A2977B76C1CD27C7BC8DAE77F4785BC8619DECFA2D6B62A9CE9780256D6DA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000047306Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:25:53.835{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 13241300x800000000000000047305Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:25:53.835{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Config SourceDWORD (0x00000001) 13241300x800000000000000047304Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-SetValue2021-08-24 09:25:53.835{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\306E0B0B-0719-4FB5-BA4F-7A2D80831A9D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_306E0B0B-0719-4FB5-BA4F-7A2D80831A9D.XML 354300x800000000000000047303Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:49.062{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52317-false10.0.1.12-8089- 23542300x800000000000000047302Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:53.069{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFD732C5F401A5C6BCC6FB39D90605D,SHA256=EF5B0882C5EEAA55093F52172BFFBCE94176C566FB63AD01D0FD022BC239184E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026542Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:54.395{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7C927A108454DEDA313564B28FB75D,SHA256=D2A5B96FD4933D5E11728D66BA0042A7E9E9146C4DCFDEE63C72C5B3147FCB72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047314Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.764{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52320-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047313Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.764{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52320-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047312Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.746{80A11F3A-9FFC-6124-0D00-00000000F001}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52319-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 354300x800000000000000047311Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.746{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52319-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local135epmap 23542300x800000000000000047310Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:54.871{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E456495E9B5A8E93F01927E4CC7CF029,SHA256=3747C76A697FC686504CE72DA832D8DA992E58649946CDAA6C948573EE298C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047309Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:54.870{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96998F7FBFF6518501D07EC0CA73CAC,SHA256=383EAA224D564ADFD8435EBC2121C822628C77AB57B093E3944155FAEFB61640,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047308Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.045{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52318-false10.0.1.12-8000- 23542300x800000000000000047307Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:54.072{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3CC9653EC04CBA11FF51D87B345C52,SHA256=BCF12922F556160A5BE1728AD8E8079FD91FF9C28A6EC6565BCBB377796A0C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026543Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:55.630{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BD72AA5343B34D251BB6CA74BE790C,SHA256=FC402CF9872D673D1877261D93DF758F7367016ABAAF5B10CEFA390D74C0A8B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047317Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.773{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52321-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 354300x800000000000000047316Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:51.773{80A11F3A-A00D-6124-2A00-00000000F001}2964C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local52321-truefe80:0:0:0:602a:bdbc:a5ca:90b5win-dc-391.attackrange.local389ldap 23542300x800000000000000047315Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:55.086{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346A61DDA483C81EF5FEEA9871145E5D,SHA256=4F721E5375268A93E8D5A4EEF5CE2941777DC05EDF669FE136C75C7A4F0EBD7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026544Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:56.864{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9146C27B97B807463EA4B74666ED1589,SHA256=DE700AE104E7D263041D7C7D6FC666E7F919EE12A37737851B2364B76DEAAD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047318Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:56.101{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F6160F1DBB216722D703CF615951B7,SHA256=7B0D8A1E9B062748FDC7B7D7C76F104790F4FE7BD4919C6B9530C91E2E4702AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026546Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:57.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A68BD0D88707C4EB1EDC7B90412AEB,SHA256=BAC2CE1AA68AB13591331058C07CDB56E686FA12DE7A4903E01DF62773A742CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047319Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:57.116{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6901A3975CB731FD5792E2967C4A36DC,SHA256=E2A04964E86071C0C7FB06809EA288EEB9C2448BB8A3F461D0882354746E8F46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026545Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:55.853{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50995-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026547Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:58.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD84623CBC079E570D36628DBDAC7AA1,SHA256=150B6AB4B4D8508789AD3D4731E1BE25CCFECCCB96DC52A348ACA132E119F867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047320Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:58.116{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BC405BCDED33D1C5A62351940E4C35,SHA256=52708C342F5EC7757B9F4FB1AFC4EF2A0D345C0FCC8A3F9186B26458C5376EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026548Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:25:59.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80727117FDBE929EB83BFAFC1DE48890,SHA256=01BC2F6BF2750FE12CAE2A2236A69FC5625AAD024D87656A929028C6FF0D62BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047321Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:59.146{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585A6B775D2BF7FCB5ED15B8350FED33,SHA256=355442CF22E4C911B2CE2F1C2C0FAA0F7B3E1BEFAD829E8AC887CAD3935B55CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026549Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:00.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4113052445D41D98C52608245DA78693,SHA256=364AABF3CEFC679E29C3E893BD0EB6FD604F40DE0659EE5F9A00F75027552247,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047323Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:25:56.091{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52322-false10.0.1.12-8000- 23542300x800000000000000047322Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:00.182{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A187039E6F35E07E5D1EBB07B23D2462,SHA256=D1689552B191C8784F2B18929A0F062AE7536904097E3382C036A3BCB44F7AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026550Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:01.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B2F395EE8533662D7486E462E8A6F7,SHA256=65C742CEAA1A45376D0927EB81ED5E40824DD87EA033EFB155AF8D05F12C1431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047324Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:01.197{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63812834359B63A0DA04B2C582EBB3A4,SHA256=B45831208C28C56B23DB28120B920B98BBA773368062FDF84F37895E31DC7A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026551Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:02.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C87214B693E41FEAC67507BC123245,SHA256=CB5311F29C28AF8CD16A6B1899D27D8A1C1B1553F23315F2C198BF8C3794FEEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047327Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:02.612{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047326Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:02.612{80A11F3A-9FFC-6124-0D00-00000000F001}9086952C:\Windows\system32\svchost.exe{80A11F3A-B9C0-6124-1809-00000000F001}1796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047325Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:02.228{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D852EFF933106BF8437F6F076B30450,SHA256=976EBE17240271E1536415AE66A1B986F817081396B1D7D5BE536E60D4F56702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026553Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:03.927{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6696A1EDEBC31F57A10D81A8E0D38E,SHA256=096C8F82B7CB3E02B953B1644FDFC9D2D6B3D8A1B0D85AC18E165F20E6900734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047328Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:03.243{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694892AEC15763303C5FEC535F6499AE,SHA256=A875E2A18D1F51AA7C4C2C628FFAFCA6FCD5EDDE95D23D15FCABAEF1AEF9E00B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026552Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:01.744{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026554Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:04.942{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F4F93981B29C92CFEF155689044582,SHA256=4DCE0632C2F0DCB42DF2A4AF45F50024615B36CAF6C0368B2256720997580E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047329Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:04.260{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7AADA8296F6B0F6E0125A78ABB8179,SHA256=E94B89859CE17279A13093125C650964652FF79A46A326A928724D66CDD7046F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047331Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:02.084{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52323-false10.0.1.12-8000- 23542300x800000000000000047330Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:05.263{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD23A29D7DDCD217E43193BD487E9B4,SHA256=E5EBDA5CD007C7BA9D1E5AF3FA89F358E1C3DC46291A44D7D96001780F5683CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026555Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:06.161{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4971D82C4BA92FEF800EF0BBEEABD069,SHA256=0A4FA755D2FDEC6EB31A58C316B7CEDDF329CD88820A7C1939630C485921A762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047332Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:06.279{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C72F152FF607C90713BECC509B7705,SHA256=17BD4472D27A6774F96EC0DF59A06420A7FBDF24F4CAEBE49224E74D8376A686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026569Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB2F-6124-AF06-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026568Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026567Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026566Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026565Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026564Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026563Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026562Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026561Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026560Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026559Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BB2F-6124-AF06-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026558Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB2F-6124-AF06-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026557Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.880{D371C250-BB2F-6124-AF06-00000000F101}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026556Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:07.192{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6DF81AF420E1A3208027125AC78EA4,SHA256=4DA6E999C8C226AACED118F231BF45683F95FE8E0009F90959D68D00366FBD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047333Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:07.294{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855724625100E390E0FE410B1DC9EC1A,SHA256=6E66D2033AB328B5B29F70D61BFA2AD957CA722F8EAC7FD76BC772316195F89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026586Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.942{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3030AC3B9DF4E0BDCDB820F21A3013C3,SHA256=EEFC2B479051E47A46C765CACA55501FAABDF2756B7B93AE4DCAC2E512B06F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026585Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.942{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C478229EA40ABC59563E8CDA6FC1E790,SHA256=986E9F7D7D3A5B4F9C8187B9D435A7B11D0DA249EF3E269AC2FBBA60AE5193AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026584Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:06.791{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026583Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.583{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0560998B9603015DF685FAAFE9452B10,SHA256=E3AE78A2667DD4158BDB3989111756FC60AE8F9DD546F717412579B1E7A1CCFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047335Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:08.340{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CB4EA35A1458D17A6A0D61C6B9264E50,SHA256=37DB67B902CB50474C3806905990F96BEB942D5686C13BB9744D0735912C5555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047334Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:08.309{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC3E30F08724BA9B5761FBEF8E22285,SHA256=9BCCE9AA7008E9768DB4B8F778C4E66D6733D550FC30245EBCB1C2B135EE04FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026582Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB30-6124-B006-00000000F101}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026581Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026580Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026579Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026578Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026577Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026576Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026575Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026574Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026573Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026572Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BB30-6124-B006-00000000F101}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026571Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.380{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB30-6124-B006-00000000F101}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026570Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:08.381{D371C250-BB30-6124-B006-00000000F101}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026601Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.598{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F5961AC23310D82F1A39422EAE6E2,SHA256=966DB427BC025C16E59FA79D43B2C2613C57E6055110BEDD449CE7923B058E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047336Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:09.339{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E08FA13FEC809B760842A114C46F91C,SHA256=284684540E52C9733A5B2CB901A3C7EBDD27061F076F96CB6C6594F74477E0E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026600Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.239{D371C250-BB31-6124-B106-00000000F101}27962500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026599Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB31-6124-B106-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026598Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026597Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026596Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026595Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026594Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026593Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026592Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026591Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026590Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026589Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BB31-6124-B106-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026588Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB31-6124-B106-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026587Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:09.052{D371C250-BB31-6124-B106-00000000F101}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026617Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.833{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511085FF15E32F0CB1DBCB52995DC7AB,SHA256=6A2BA2EC9A0E6DA7C6B12FA20553D6BAB42FA7D88314B5CFFD9AE7382E5DA0E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047338Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:07.103{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52324-false10.0.1.12-8000- 23542300x800000000000000047337Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:10.360{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F413E2348BCC6DFAAE16979402FE82BD,SHA256=2BEA95DE207BD88482A6CAAE0379790FED484D19665A08006DC9B7D245280920,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026616Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.177{D371C250-BB32-6124-B206-00000000F101}496536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026615Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.052{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3030AC3B9DF4E0BDCDB820F21A3013C3,SHA256=EEFC2B479051E47A46C765CACA55501FAABDF2756B7B93AE4DCAC2E512B06F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026614Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB32-6124-B206-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026613Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026612Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026611Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026610Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026609Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026608Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026607Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026606Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026605Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026604Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BB32-6124-B206-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026603Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.036{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB32-6124-B206-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026602Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:10.037{D371C250-BB32-6124-B206-00000000F101}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026646Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.989{D371C250-BB33-6124-B406-00000000F101}19003556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026645Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.958{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7B90C5F776B5551661F54762D85F38,SHA256=427D1DAD2D563350F7548198DA8BE8F40DE83C6D9AAF345A80E780AFDCC217BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047339Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:11.375{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EE1B8196F5DDC3F437381AD95C32C6,SHA256=9BDE904756013D764DA77FBFF3E088FA042B4C07A4E7E7A5E0073C5DCE750517,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026644Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB33-6124-B406-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026643Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026642Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026641Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026640Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026639Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026638Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026637Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026636Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026635Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026634Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BB33-6124-B406-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026633Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.833{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB33-6124-B406-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026632Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.834{D371C250-BB33-6124-B406-00000000F101}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026631Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.364{D371C250-BB33-6124-B306-00000000F101}18121644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026630Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB33-6124-B306-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026629Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026628Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026627Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026626Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026625Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026624Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026623Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026622Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026621Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026620Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A1CC-6124-0500-00000000F101}408424C:\Windows\system32\csrss.exe{D371C250-BB33-6124-B306-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026619Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.161{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB33-6124-B306-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026618Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.162{D371C250-BB33-6124-B306-00000000F101}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026661Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F1F1225A4AF0752121131BD203E5AB,SHA256=1CACA27B334ED7C2642D537AE5D49D9C8D0F6363B4B1727585C4CC0155F4BF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047340Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:12.390{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A0A02C27963D70E76C45525ACC87CE,SHA256=7965CF84BE50D40D97A4A7BDE8527004011A36E7EE6CEF0C3C2CB8935A4C5872,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026660Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB34-6124-B506-00000000F101}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026659Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026658Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026657Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026656Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026655Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026654Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026653Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026652Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026651Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026650Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A1CC-6124-0500-00000000F101}408524C:\Windows\system32\csrss.exe{D371C250-BB34-6124-B506-00000000F101}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026649Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.505{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB34-6124-B506-00000000F101}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026648Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.506{D371C250-BB34-6124-B506-00000000F101}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026647Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:12.208{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70CC3685FADA46326D48374DB33596E6,SHA256=0888A9D495368E84716C3AC5D53032FE5271F4E2E9DAEF4FB5BB547BC19E585F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026663Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:13.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0995A3DFD51618F1F5CC534349EF42,SHA256=77220EDF574B6EF64BEF78B4C7049F4884056F807500F0EECC7A0E23BC236439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047341Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:13.405{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6446B989A46BF714CCAB05A805F7200A,SHA256=BB054B7508AFED0325676F0EA73AC0908211CC71A7B92C439AD1469F1D3B438A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026662Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:13.505{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A81E6391FCF68E1A1DBB38F8A39F1B,SHA256=E36308A5E83315B63E23A1138444DCBA46D8EA2921F8D259BF1D96B80AA8DCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026665Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:14.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514F8C5B94CDA091ED98DA271DA50584,SHA256=0167BEA61CEF35BED5909F6AA1BCD5795E3D42C75A72632A52B336C42263E6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047342Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:14.405{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F763922850346C24E8F16FE7231613B5,SHA256=7DF7AD8E3AC03AA3E917D9D592F64F93E559E901196206A8FBBDBBD9872C9424,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026664Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:11.838{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000047350Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.988{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047349Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.988{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047348Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.988{80A11F3A-A44E-6124-D004-00000000F001}41604064C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047347Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.972{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047346Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.972{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047345Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.972{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047344Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.972{80A11F3A-A44E-6124-D004-00000000F001}41605936C:\Windows\Explorer.EXE{80A11F3A-A4F9-6124-6306-00000000F001}1648C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047343Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:15.420{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6996A2B00451F909EDA2CF4E802D4314,SHA256=D5E14BC116B2F84DA0EC8233769987B8E54A6467DA864D807E8D39426C8EA21C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047352Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:13.077{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52325-false10.0.1.12-8000- 23542300x800000000000000047351Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:16.434{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71561F51D46063650DC8A12678083E32,SHA256=BF6A3ED85FE02CC9E3CAAA9F77B5A2892742767665DBFE7F61EA20E10D47D517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026666Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:16.208{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7443C1AA9AE1C26CFBCC126F18D51066,SHA256=D7B70EEF3FD2B4B9E0A3C79C865C0FD6D499385F2AF41ACB0AC17268D289D413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047354Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:17.735{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\respondent-20210824073023-112MD5=89885AE3740098080BF921C3557A0F2E,SHA256=52D69EE216311DAE394F361B1D857B742DE70422D40659B0C19407492A89204B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047353Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:17.452{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09BBC4203156CF300E6B84D8FC47425,SHA256=D2D65044F3A3620E78456C5DEF14CDFA5AEE664565890769EA479469ACA4E34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026667Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:17.442{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDE2D182F4DA9D5ACD524475DE7494D,SHA256=B2B37F692C77766AF7831AB1953109D3A3DC658325193C6B6384D51C05531A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026668Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:18.583{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC337B074A1C73E1ACD4941170FF4E2F,SHA256=188B6072184C54C638EA561C1056DA655119C71EEED0FF085F5842F7C5E01276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047356Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:18.750{80A11F3A-A00D-6124-2B00-00000000F001}3048NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-033a41ad2adc4bfd6\channels\health\surveyor-20210824073021-113MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047355Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:18.487{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D58E00991DC390AFF28A46835B5A450,SHA256=249B207DF2960B04B2EF97222A4AB42AE8A1D7392512759AF75915A12BD2B2AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026669Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:19.817{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A8C73C72459F6A1462597C99F042D6,SHA256=5A7B1B13A3D6FFB39B1D6B1B20F3D1B666A21C73E3BC6965C3E92D1EE92DA157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047357Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:19.502{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593CF5478537D87CDF4E1D84E95C886F,SHA256=4798F917E0450A2F7F053B7FE571E82F4056D892AAC18EC37120C1DF642E5958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026671Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:20.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292CF411A094837AE1B6748691899E05,SHA256=A75650915701D954A2D38FD50EB916C1DED0C4DC29C22FF80C70A6198524C360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047358Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:20.532{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2DB6AFA4A6202A9DAC7C1D5E9F23CA,SHA256=6271E99F9A9CC9E79EA0F39DBCC054344BAD47A9B773F1FF8E659D19A4A16B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026670Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:17.667{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal50999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026672Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:21.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E4E88B9A100F2463C3954AE1CDEB0E,SHA256=A7C9F556EFCEB9E66D19880AE8662C3DE4D1024EC8F469546A03BBCA371160C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047359Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:21.549{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0D3AFB0ECBF065186094F0E3FEB97C,SHA256=E47B69361E6BF321D4A0C5097FC5203BB2C590C6AF94CA0B5CFB9B62BE016F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026673Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:22.974{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9D0234A0CEBC99FC458237D2756EDC,SHA256=7EE02D84097B4FD24F40099AF79716F5489DD715B6120238C701F4580DADAB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047360Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:22.568{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722312E7A138A34C3C7232925BEAD511,SHA256=85533FCED60C6B11E5C86FC555A308CD691F730D565610B398BA5B596C79F4C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047362Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:19.011{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52326-false10.0.1.12-8000- 23542300x800000000000000047361Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:23.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C98A14EB75C062261F1A85D7BB7E4BC,SHA256=BC33DBF9E966528400EF491DA637EFBD22049B83BB0893C0FCCDF3EE07D9CC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047371Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.582{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A1D908C073C6FC0480C9B5F8331516,SHA256=B44FDF20969320FCDC6D812396BE7BC5A004C650F208EDC1EDEF36FFF8FF51C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026675Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:22.698{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026674Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:24.208{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBE0E046EFDD701CAA9F4340707627C,SHA256=1A9CA3B18F6BBF801FDAF4EEF77F2076D44DC18EED6484F9A7852ADFFF5CDA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047370Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=2665DC16D13D6EAE61166A15CC204C79,SHA256=D73A67E160C3B0A90C78A7B1F38349D7D7F4C6A0B23B7C8FF41423678F12B691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047369Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=1D7177C04EABC554F4A0BAAED878602F,SHA256=03D2A8AEC8C31B66013B2D2C0D8A261D39D60B7C72E8DF2CD97CF647C63E71C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047368Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=9389C4AC6F8C57B449BF3179FB7668DE,SHA256=E6B0665E1F9C700CD1433C25E4C8F2ECE2BC774BBF8BC5342B8F724E6AECB3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047367Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=7E633AD569612A4C5EEBD3175D8068F6,SHA256=82B5B7ED524BCBEC42562A3D7B1E2648CFAAFB3E1CF594E354F3C83CEB302823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047366Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D26EFFBE6E2AA770C1F9C62814E0D9D3,SHA256=DB9E9CC7D1A58EFC19FBCDBA6A0E4A9D9A30A3DD7FE3ED62D49E192A8B5F87FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047365Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=D6B8C6629822E9A70FBCF5D738206EFB,SHA256=2ED4310DFE056880ACEAD2B25D837F5CE7ACBAB327B5CEFF22D3EFFC7856EF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047364Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=6B71FA2B339CE337094BDC684A99609B,SHA256=47FB8E4C03AC763461988F7E58E8C10026E1C6E4AB0FC6AD562539941C4E453F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047363Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.383{80A11F3A-A5BA-6124-9206-00000000F001}5540ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\03bm82ms.default-release\datareporting\glean\db\data.safe.binMD5=56354E9FAA617B8CCB9B91C8F4409A51,SHA256=EC6678043B82FD745A993F267BBBAC69085C86E3233EB786DAA94DB522548F50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047380Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB41-6124-4609-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047379Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047378Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047377Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047376Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047375Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB41-6124-4609-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047374Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.666{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB41-6124-4609-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047373Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.667{80A11F3A-BB41-6124-4609-00000000F001}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047372Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:25.597{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1642B3F3BD77A64A8B18DBDF23D9F8,SHA256=A24059763CCC722A4F5B78EAEB8D49BCDA787C30F26A538336A5104D0AFEAE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026676Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:25.427{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C2D81F5C7D938ADA4EADAC962EBC5F,SHA256=F7AB8B6A4BF3A5C7E2B5B8DAA46D488088A9193A8B06B63925BBCBB5D7087B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026677Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:26.661{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EACBA36CF22E5B28AA0AC5093DD618,SHA256=91DE376DD983DE213C0ECBA0943F9CB32F97DB8C7AAB881589F4AFC04F5E9781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047399Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB42-6124-4809-00000000F001}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047398Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047397Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047396Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047395Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047394Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB42-6124-4809-00000000F001}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047393Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.913{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB42-6124-4809-00000000F001}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047392Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.915{80A11F3A-BB42-6124-4809-00000000F001}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047391Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.666{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FE7A79E960142A7437BA7A7AF55392E,SHA256=957CFE084E5FFD89CAEF3A1D47A1F3373C15E4101B353FBD4D6D846976B358C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047390Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.666{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E456495E9B5A8E93F01927E4CC7CF029,SHA256=3747C76A697FC686504CE72DA832D8DA992E58649946CDAA6C948573EE298C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047389Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.613{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8ED5759045B4E11E30C2948D697ABE,SHA256=5FA21EB23732B753CF41F26298651365118A24C67132B443730D350112945B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047388Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB42-6124-4709-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047387Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047386Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB42-6124-4709-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047385Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047384Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047383Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047382Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.328{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB42-6124-4709-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047381Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:26.329{80A11F3A-BB42-6124-4709-00000000F001}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026678Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:27.895{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DD5119067F86B6EE6886E8B15CB7A2,SHA256=7AFFDB6FAB4117FCE961E42D708B3159697FE181B7E167F69AEB8DC399B62EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047410Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.949{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FE7A79E960142A7437BA7A7AF55392E,SHA256=957CFE084E5FFD89CAEF3A1D47A1F3373C15E4101B353FBD4D6D846976B358C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047409Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB43-6124-4909-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047408Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047407Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047406Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047405Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047404Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB43-6124-4909-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047403Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.927{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB43-6124-4909-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047402Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.928{80A11F3A-BB43-6124-4909-00000000F001}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047401Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.628{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5304401A211DFF972BC1B97CE9A8FEB,SHA256=F349D16EB3F550A60876BE38487041EF6F7B47762A75EBFF2C29B6BCD38B32FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047400Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:27.097{80A11F3A-BB42-6124-4809-00000000F001}6924656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026679Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:28.989{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D615128C0F7B67A5BD9C3AE4DF477B5,SHA256=A2E55A9C141FDA7BEF1D4036BFF490EF1DABF8865624AFC95DCAE7BF21F2243B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047422Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:24.992{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52327-false10.0.1.12-8000- 10341000x800000000000000047421Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.796{80A11F3A-BB44-6124-4A09-00000000F001}63726248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047420Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.649{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1600D3CF89B2A2EC3B033493872662F4,SHA256=BF732F65E9AC6C820A85C77258D49269A359BA7232F45B0D412ECFDD8DF61580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047419Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB44-6124-4A09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047418Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047417Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047416Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047415Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047414Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB44-6124-4A09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047413Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB44-6124-4A09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047412Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.612{80A11F3A-BB44-6124-4A09-00000000F001}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047411Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:28.112{80A11F3A-BB43-6124-4909-00000000F001}49566116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000026681Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:29.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A32BC66B93A46A42A621023C988041A,SHA256=B0F68CE13E95CBC5D11D77ACE9C0EFA40FF2092672ED1927A0D55CD4648A5009,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047441Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB45-6124-4C09-00000000F001}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047440Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047439Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047438Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047437Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047436Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-9FFA-6124-0500-00000000F001}4162924C:\Windows\system32\csrss.exe{80A11F3A-BB45-6124-4C09-00000000F001}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047435Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.795{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB45-6124-4C09-00000000F001}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047434Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.797{80A11F3A-BB45-6124-4C09-00000000F001}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047433Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.664{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DB78917DB992B826B5B3B156073AE4,SHA256=460CA417D7462900862F7C94364A2EBEED38788CA316EF5CAFB6FA61F1AD9254,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026680Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:27.714{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000047432Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.626{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE7CD61CC8F6EF0EC9C1C92038774B03,SHA256=AA8CD3518016F1B24735C7623AFFA7C6DFD4F4BAA7B71E6EB63B221BD914087E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047431Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.479{80A11F3A-BB45-6124-4B09-00000000F001}57205428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047430Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-A080-6124-A800-00000000F001}32362200C:\Windows\system32\conhost.exe{80A11F3A-BB45-6124-4B09-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047429Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047428Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047427Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047426Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFC-6124-0C00-00000000F001}8525808C:\Windows\system32\svchost.exe{80A11F3A-A00D-6124-2D00-00000000F001}2148C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000047425Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-9FFA-6124-0500-00000000F001}416432C:\Windows\system32\csrss.exe{80A11F3A-BB45-6124-4B09-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000047424Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.295{80A11F3A-A080-6124-A400-00000000F001}3688640C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{80A11F3A-BB45-6124-4B09-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000047423Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:29.296{80A11F3A-BB45-6124-4B09-00000000F001}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{80A11F3A-9FFB-6124-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026682Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:30.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11B45E1CA213A3C6189C1F19A23F819,SHA256=7CB7E4B8A97E8CFADAF33E345424914BDD91B8DBE54A6645FDB06D639FD184D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047443Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:30.810{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2DA89F83C786AB91643B29B0EBD530C,SHA256=511A285D6FC4806B83EDBC4B35306DF86322CB85A693C8C5BD078082A978B178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047442Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:30.678{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC3377381F097DB1EF19870C1914883,SHA256=87281788172827CD68B3BCFED20994F9B1FE96C766332CC732938F6049E912E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026683Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:31.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8524CE77FBDD243D001F898CB4D46F,SHA256=BB3762398B260C1D97879E6C20A3E1FA8E42A629463FCDDA7C3B77AC4B8F8F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047444Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:31.709{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E04D4DD0154842F8CC034087A4511C2,SHA256=CD90C73D8B23E4F40903E8B33B6B0D1C29A79A7CB58B88BAF904D86724B0BF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026685Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:32.991{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247AD13E80C94487DF9E065DD9C53585,SHA256=E1B8DE8EA852EE878749D8CC39041C5BC621D2D6020E8057BF4B5B4679B2165C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047445Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:32.742{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AA7522DD99E7D9D79D577457D01269,SHA256=D3FC539262A5B6EB8641B14C72E374BF9A2F8B2E573E05AFA034FA8FB22D9D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026684Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:32.835{D371C250-A24D-6124-9E00-00000000F101}2996NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026687Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:33.994{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AB0D6A52AD081000B1AF337C93E0EA,SHA256=65DDE061328EE66D364EC09CA133FA41BF3C4D17253AD503BC50E0E6C3040F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047446Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:33.760{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3503006407DC027EFD24C68BD87F9995,SHA256=2C51DC7A896F0C45FD90CAAE6501F148A128B16576116FCE06CB84C705D85E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026686Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:33.949{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\respondent-20210824073752-105MD5=3E68AA70F59B51FF348AEA647175EFEC,SHA256=C5AE0E32D021886757477DF5F39D9238799BB6BCB0D4F830DB1584DCBCA64EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047447Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:34.775{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3493B699C772C863C65FD1A431E9D4,SHA256=3E38925B508F7ADB1DC6AABA7CF0D4141D65737AB72B14A9962F59E034C2E278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026689Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:34.959{D371C250-A1CE-6124-1F00-00000000F101}1960NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f4afa6fd0baf0d0a\channels\health\surveyor-20210824073750-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026688Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:32.435{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000047449Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:35.806{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9829990B126E2B1DF4AB3C3901E4C468,SHA256=E94B3323EF69935951675BB03AFB6A5E1ED44E14E5111A2884CA6809E993D8E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026691Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:33.729{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026690Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:35.004{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD304A45B5677AEF810715F1D27FA66,SHA256=4B6990A88DDB0F5AE7D96393B5BDA7E8E36765D13ECA11744179D85610B04746,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047448Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:31.003{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52328-false10.0.1.12-8000- 23542300x800000000000000047450Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:36.821{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8267888C4DA8F42A338D1F2CDF98E970,SHA256=2F7AA1B09FCAFFC03A64CD5D3635DE1A0ACF70C424AA0F677497DFBC42F3704D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026692Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:36.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB0F6D463872290505ADE8D8F7D0C7E,SHA256=788EBC662BF840F2AAF66EC3DE0046426A893EC60B1F5DDFE4A19AE2E75C070C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047451Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:37.838{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9C0DC99D3AC3B30B3535474DA8B12B,SHA256=5408150E6AFB974E2829F8FE2219724FB76129086684AD078D9DE08698AC34A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026693Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:37.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68040A3B1E01E48D73A2558752AA7D22,SHA256=7A0DEFC525586975C9ED9A8CFF7422A8BD774278008D12C99B39337B5DCDD73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047454Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:38.873{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF194368FC68BD1C9F01F50F2EA72A5,SHA256=B6F61744B806F0C29B7E6A49DD92508BDF2984037903485BC76D4F2E4308FC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026694Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:38.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC47D8D225BD66B7E22664B870FD899A,SHA256=F6B91E4907106EBFE5641AF294F9097CA6D64DAD09B740B546FBDB2EDD347A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047453Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:38.740{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4E8BCEFB907C2505CAED669B89941EF,SHA256=69693231715CB58F3F11CF770782E30BC2C69BCBB15453EF97EB0DD7983A907E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047452Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:38.739{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFF01EE4491B6818C3E45701633B6974,SHA256=C59A542889CDF3DE5DF0919982081796CF068C15056FE767035AA61209A9CA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047457Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:39.888{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC683ECA26F1CFD233F45D05C73D827,SHA256=C2F69F7553A96CAC0835606FA43B9A676639865B6B43D5917A972E0BD3A93AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026695Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:39.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB73B052BE3CBD0E92EFCA4F19E3B31,SHA256=A818D40B609CE0143C2B802D7B07C60CAD840BC31223C85451DEA06A1A321A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047456Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:35.632{80A11F3A-9FFB-6124-0B00-00000000F001}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52329-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 354300x800000000000000047455Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:35.632{80A11F3A-A00D-6124-2800-00000000F001}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-391.attackrange.local52329-true0:0:0:0:0:0:0:1win-dc-391.attackrange.local389ldap 23542300x800000000000000047459Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:40.904{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BDFE01017AC187378A985648BAF77C,SHA256=1700A2B682B157BB18587C57CE92663C79538E2143DC4C6D3F6DF79A161F0599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026696Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:40.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924146C7CE4D964D34B63B35772A9747,SHA256=CFAE4CEE5751585B66D03D1FA5F2241049F0499083FE09444A7296477CB1253F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047458Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:36.102{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52330-false10.0.1.12-8000- 23542300x800000000000000047460Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:41.905{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3CE63577A64E363C626973E6139A13,SHA256=1BA1976DACB52E1C50588066D432303B9AD854C3B6F638DAEDDAE5077C253E91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026698Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:39.745{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026697Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:41.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7CF0A734B12F2A45FA962181C4BD4B,SHA256=FBCFE8E959B3F7D7A7DD4FBFD9070C7DA676094660B4DBBBA6D045F26EC8098C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047461Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:42.938{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB340F1C69A573D75E0B5A5A1D589B1,SHA256=DDAE65D70D8A4EEF00A1C0E169D724D90682E9549D9307E9597BE2E10F1CFBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026699Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:42.005{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A49686453617BA5CA790FB3F470E09,SHA256=C8963289F40187443A7A4B236D38E821009B73D2B4AC4AA585A09C70C3AFC6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047462Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:43.959{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01ACBB1A4C3155B283564492DC418FF3,SHA256=5921D06D16D315AC5FC2CB9BECD25F0E7B70E86614C972537E03E5EE3C943798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026700Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:43.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1FD8FA1725BAEC7178C767A4355603,SHA256=3C93258CC8B6B6346264F4DB247FC2122FE39020F40A0C74E488C2F9FCCE3DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047463Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:44.974{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB13EF56E761BE813D5856DF0EF392C,SHA256=421CDC5136D887F963459DA4AB44FA5B945CCB597CEE286A788198CB07A6D0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026701Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:44.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE254C2ECC56EBC0C2B723D34C1258D,SHA256=EB4D98FFE5673B5A37F92F821BBA0119A6300515CC767E43DCBD6A4FDDD3E07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047465Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:45.975{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3021A15EF847C9A41C0FC4C35E3799B,SHA256=121A19B40A8B5C69D6445BA39D459C837E6694DC9FFA181FE651A94D4438F787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026702Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:45.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D1867A4D776D3F07A7C3FB9BC675F2,SHA256=F3A2921EBE1134A21088A13788D0F34922FAC23084B6C310F4B88238210306E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047464Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:41.116{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52331-false10.0.1.12-8000- 23542300x800000000000000047466Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:46.989{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF815F38FFEC611E2651B67F50362F7C,SHA256=0B2C50BED73D12288AF33A8A013FEA40C63C21F7DE6D997ADD219F2F767631F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026703Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:46.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BEABF2A482F8016F356248976DD00C,SHA256=BF9EAFB5680BF7C68CF78FB05BF6DF588774014F2DC4A2E62428326388F958A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026705Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:45.698{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026704Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:47.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3200EC5C5F94EAEF17957AE2ED093E,SHA256=F0E88A2BFCD444FC1A61F5240A0D4ECBB8E3E455C5A090B430D7B8D0E936A641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026706Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:48.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8754DF4C1BF30BED8BBD35AC6362EECC,SHA256=05642FE070AE1AF62CA9B477DDFDD910073B269690AB26AABD87DEE728D45072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047467Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:48.004{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C742E8FEA10C5DF5544120ED7BA37AD,SHA256=9917F20DE46F01D00167238229BC7FFF2EE86B6A18A6A75FC69380C3E70CC1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026707Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:49.020{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2CDBB0FEA760DB670D87D5D951B537,SHA256=6729C77EA287FE69FE53A6E9F0D54B4F73C3D17CD49E89028D210604DCABCF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047468Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:49.036{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B0EB123405672427A6D94914B1663E,SHA256=89E11FF5967BD8F5EE3870B59E80D293F2FCB073CAC29DBB1A39F5DE664D493C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026709Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:50.832{D371C250-A1CD-6124-1100-00000000F101}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A4393BB12466414A6B754F7B5BA26439,SHA256=AD5F34B2DFADD74566EE20B2B0EFE904973052B3E299B505A09ABED8FFA7F73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026708Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:50.035{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4342D200FDAC2DDEE95A678783B58F87,SHA256=26D5F1DAC0CC33905DE37E7CB9F6026D94C4B378EC37DE77871368A1EA56B893,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047470Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:46.184{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52332-false10.0.1.12-8000- 23542300x800000000000000047469Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:50.057{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12D25E20E942DE89D612D7AD4508032,SHA256=F42A7EA385B4A5AF02666C4A761F3C1538C19AF50AE6EC6650EE368C9707A20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026710Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:51.254{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71673E0AB7CA0D02AC26ADDB47F9764,SHA256=34B0C2AB08C4242DBD18CD1B587BBE62187D45E708472261A50BF9F730129262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047472Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:51.172{80A11F3A-A080-6124-A400-00000000F001}3688NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=2B640B14B078BDE477642A1B0343AB94,SHA256=3B2B580B4DB9BC146C26A020DCDFF562BBB4C06910A12B38AD6DA5D62A770671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047471Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:51.072{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420A8200F747EE3DA6DCCF6513CCA1AF,SHA256=F30114906844314421E2BBB30868E13E6E5671F3E3359AE29BA11DA51D48FD32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026712Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:50.775{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026711Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:52.410{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB1BEE3BB68BA5BCF4D2ACEF52FE3BE,SHA256=37AD733D16325BC6747E03037F7BD3CC2E6B71001ACFE08EE78A7D71F8088C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047473Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:52.087{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03843B5434CB956218282B18BEE8B848,SHA256=E208EF171DDDD7C557FEBCD631C48594503966044DF34718D7859616770545E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026713Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:53.488{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DE199FFE486C31FDBEC38E5D113568,SHA256=7A1F3C585AE8FF58028B03FF0B96B63DFE3DBA5242A255A3109DAE7938554687,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047475Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:49.084{80A11F3A-A080-6124-A400-00000000F001}3688C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52333-false10.0.1.12-8089- 23542300x800000000000000047474Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:53.088{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D2ABF3372A6BBECF3EE4359D745970,SHA256=93DEDE80E40DC32551CE2AB2B37AAE666F9F8A3533E0F589DCA5F338B8830BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026714Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:54.722{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2888F48674C62B4A35BEAEA7B9D13539,SHA256=9BB113BE2F428D11438AAF3AB52C18AFC3F7D71DE52511D057A70F76AAD2BC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047476Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:54.103{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB3819A9E4ADC301A77E787D52537B9,SHA256=235BE31C910D3664A074B1090CD638A89F4998683B8CFFA83FCE5EE7A965A2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026715Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:55.941{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB400FE97621534B5B634A72000CEBA2,SHA256=59F597F1CAF1DA620AF83071B7C7197A6C5ED7588DE1BC34E9E843A2FC229424,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047478Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:52.115{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52334-false10.0.1.12-8000- 23542300x800000000000000047477Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:55.118{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8AD6D0E52ADC2BE5C46EDE7F81C638,SHA256=05AA89349FFC11E54F62C2DB67ABD27B8ED8BB07A5673B89420EF07EA3AC59A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047479Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:56.136{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38C88F476CA3C534D473802EC4A9822,SHA256=72BC7FB431EE3B7FEF992D126EF4725A468744ECF3F158238F10C33EF7574318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026716Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:57.035{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ACA61846EDE64C73C81965EA478BAF,SHA256=4082DD890BE591D146B9865D731B66CDC6D2AD1D00E4DCD7FB0F75BDBF29EC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047480Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:57.154{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95036380A90FE6E21D4DE3230A846EC,SHA256=359DE5F04B3FFD97F6BA250023A3B4E46D8862B848A23AC763E28C91B82465A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026717Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:58.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D7B494EF1DBAA04923B1C69A6729EF,SHA256=6CD4E5B0EB592E0836E76AB8FD819951DE830E2609C48878D0AE878FC3B72E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047481Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:58.184{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA6CD9459DC50280A16B643E3C76B0F,SHA256=6F2C0E350BAA8F345A803CF82E85344F573C91E4564172753F8F481AC13EDAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047482Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:59.215{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A0CC44160A74234AF8277CD0F26592,SHA256=8E9DAF3CFD7515B260BC5C0529C204A2374038B6F03E71E592AE5FCF069151F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026719Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:55.822{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026718Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:26:59.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299D52F90D268D3314562E84F72621F4,SHA256=94478D78D2463B239909B8681A0F99881CDD78DA85FB2C7E8D344B1A48A6373A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047483Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:00.232{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7A638A3AEEFD0887025E02AEA1BD46,SHA256=907D8798B2BB024B5A8EA5F88E0F0317921A0669C0F47416DC46E7136B2EC9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026720Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:00.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6172F4A5EB078A9F981DA647D6BF0956,SHA256=7E2134E71C319D243143CE7DEF6C07410AEACF360B5C24C8879B44CC54C75A9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047485Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:26:58.079{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52335-false10.0.1.12-8000- 23542300x800000000000000047484Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:01.250{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAB04E5E26C4768F7D911E54E5D11A8,SHA256=B5BD2E200FA7E715D59DFE4D9656B235A0B59FAC6BCA66D148B190CAD5A5EAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026721Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:01.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CD6CA0F18D1675F28004060A3BF1FD,SHA256=485D8E2D842C8AF1F8A136A001C91F27D9E37BA7DB9CDD0398AEAF4A31F98F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026722Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:02.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7D6C6C879CA667B2C96A87C70D63AC,SHA256=25FAB54BFD513980DCE2ABF2F349DA464BD02CF4ADA13B333EE9768749AE43D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047486Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:02.253{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACC30D794948B38CBDBAA2276272144,SHA256=9A825E3DC7D8304CD6F9F7B27D9154A0A547D68B713D30B040447A3F2FC27079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047487Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:03.283{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AF962410466BA42AEC00058B129AFE,SHA256=8BDB81A984299807D1B53D82BB8F98C53982AE577FBDB32DF0041D376F1B9725,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026724Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:00.838{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51008-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000026723Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:03.050{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D558AD3F218EA9D07004659788176708,SHA256=77AE2727E82BB28A527C7A838A9F79307EC59FBFEDC53F80BCA19342E9246E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047488Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:04.284{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2132C3E38A8810B17DEA0813AC6697A,SHA256=8A1E86259B520C8B7F6C854897DA31C4828ED54CF2F0536EB82A6C3350B3A3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026725Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:04.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C47FF392CE6766095C69B3C31794BD,SHA256=7AB3ECFBD3C248960CC764BF510D2F4EA3C68A2FE97BE0EF76AF7F45F4CCA7E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047489Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:05.314{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A785290093D2D5A14870C16664EBDC3,SHA256=29315A3DF09A3D5CE163C85F12F8652DDE8BBA274A530FF8AF5F083738C96DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026726Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:05.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E2334D2B20157C13E63165A2E65811,SHA256=2BACCC69015DA45FC9EA2CEE31FDD212F5B368D5BD4059948E4CFFABA348D578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047490Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:06.350{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E987F44BE23C4E400968E0C451E8205,SHA256=96741F418B03C6C915B8EFAACF0DC3EDD45AE6DD423F80ABF77B14D1D062011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026727Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:06.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B453CB4A2403522724EB799B6D510452,SHA256=6EF68A090CC79E9084C62E160AED07BEAFB54395025AC55AB091D3744D9FB731,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047492Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:04.041{80A11F3A-A088-6124-D200-00000000F001}1116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-391.attackrange.local52336-false10.0.1.12-8000- 23542300x800000000000000047491Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:07.381{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9062E0D8E7CFD3D9E3AFC753B6291D,SHA256=8217B1588883FD11D9DE48ABB19A47E5DC5962F135EE5A06E8E00AAF23DB4330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026741Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6B-6124-B606-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026740Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026739Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026738Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026737Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026736Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026735Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026734Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026733Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026732Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026731Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A1CC-6124-0500-00000000F101}4081048C:\Windows\system32\csrss.exe{D371C250-BB6B-6124-B606-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026730Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.894{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB6B-6124-B606-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026729Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.895{D371C250-BB6B-6124-B606-00000000F101}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026728Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:07.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD66671087AE57572AE7AABAED6E8F9,SHA256=83422183ADC7633986ED47C278FE95749DDBC1D883D6FC21F9FCE0CB9413DE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047494Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:08.411{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9B97B025B272ED8B1556C4019248C7,SHA256=2CE838CFECA7CBDD968BD2195DF08DDEF609F50B7D2FDC5B2EE4C3862BD5A0A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026756Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6C-6124-B706-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026755Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026754Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026753Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026752Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026751Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026750Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026749Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026748Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026747Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026746Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A1CC-6124-0500-00000000F101}4081044C:\Windows\system32\csrss.exe{D371C250-BB6C-6124-B706-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000026745Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.566{D371C250-A24D-6124-9E00-00000000F101}29963340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D371C250-BB6C-6124-B706-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000026744Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.567{D371C250-BB6C-6124-B706-00000000F101}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D371C250-A1CC-6124-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026743Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.066{D371C250-A25C-6124-D900-00000000F101}3956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAD21B2EC49216C4B04398D9CC92181,SHA256=0CBE3685068271C36CF92E95A5DC6396A65778A8CEC64C343E651E3BCF198A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047493Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:08.349{80A11F3A-9FFD-6124-1100-00000000F001}484NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=17C6DF3A10ABC52D50B6D62EB055454A,SHA256=2FA38668FC0D1E017B7511717F4AD7818A0206A21F0DE67946FD0085920B5C81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026742Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:08.035{D371C250-BB6B-6124-B606-00000000F101}34682536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D371C250-A24D-6124-9E00-00000000F101}2996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000047495Microsoft-Windows-Sysmon/Operationalwin-dc-391.attackrange.local-2021-08-24 09:27:09.448{80A11F3A-A08E-6124-DF00-00000000F001}3932NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C47BA5F130B91FE19625E40CD510A2,SHA256=46F1706343F8B31B322D1DB139A211F4D766CD9D6816A98608C78AE1131413C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026773Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:06.697{D371C250-A256-6124-D000-00000000F101}2604C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-944.eu-central-1.compute.internal51009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000026772Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A24D-6124-A200-00000000F101}632732C:\Windows\system32\conhost.exe{D371C250-BB6D-6124-B806-00000000F101}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026771Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026770Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026769Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026768Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026767Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026766Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026765Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026764Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026763Microsoft-Windows-Sysmon/Operationalwin-host-944-2021-08-24 09:27:09.238{D371C250-A1CD-6124-0C00-00000000F101}7203576C:\Windows\system32\svchost.exe{D371C250-A1CE-6124-2200-00000000F101}1248C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026762Microsoft-Windows-Sysmon/Operationalwin-host-944